23542300x8000000000000000320271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.591{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A621B8FAD832764B794B8E91043F993,SHA256=CA62C8E5D89362086534735B3AC31C9FB599BDA52534E770D2AA158D64F50BFC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.410{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7023EAC74833A625AD1FF676654E00E1,SHA256=7F7702B9A401BCBE13BE0B60F432BDCCCBF33CBA05F6B0BFFA037951AAE6EFBB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:47.008{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.238{45AAC21C-B353-63D3-A903-00000000BC02}60483292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.061{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.062{45AAC21C-B353-63D3-A903-00000000BC02}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:47.014{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49E038AC08E30C91BED56E8D4CE64EDA,SHA256=D9CF0DD7C6BF58C748AC98C7B30FBF0AD19F46182F032A12A6A7F2D67A522CBA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:48.691{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4C4F082969EAD567A2D61BAFB31615,SHA256=3400367DAE731A6AB70E62A4676F25BD706C4C6AC78D8363BFA0EC977BC40BC0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
354300x8000000000000000446587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:46.244{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52636-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
354300x8000000000000000446586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:44.707{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.501{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B987C5074B18BB08197DCC4C8C3FA7,SHA256=750174A362ED86C94FCAA64F39778D3A745A57B47685FD341A11F164B529A4B3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:48.080{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=28DEA663624D00EA97EE6E1820AFA363,SHA256=B6C036D089F2F489341C2D28819A1A3F2345CACC7C51C028B4A1F86E911F1BA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:49.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18E65A5359D32DA150C7B1F1E093D7D,SHA256=0150794E3C51A7BC1EF13C4D2E8BC1772C2668DF54D3553CA57D2E9F811A7A9F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.922{45AAC21C-B355-63D3-AB03-00000000BC02}42125980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.719{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.720{45AAC21C-B355-63D3-AB03-00000000BC02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F51C12ABE99C8E1D12ECF2650E195465,SHA256=046E99F748FE0399CC2839429093883ACA7EFFF31F4B8BF055558D4F148F2435,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:46.294{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50921-false10.0.1.12-8000-
10341000x8000000000000000446597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.380{45AAC21C-B355-63D3-AA03-00000000BC02}24284872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.190{45AAC21C-B355-63D3-AA03-00000000BC02}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:50.990{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C45B7EF8698BF101EDDF9BBF548307C,SHA256=41E6E195FAA5CD48DB1B83D6A9C406F2B84A19B801BF8CCBD0F42A57176B7F04,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.676{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544352C22D8C5ACD396C58D4AA1AF4A5,SHA256=AD57D1425138AA3C4C69DAF113FB1F1147B714AC033AD811FCC928AAB7E94D55,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.558{45AAC21C-B356-63D3-AC03-00000000BC02}26242476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.347{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:50.348{45AAC21C-B356-63D3-AC03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021F65E070621DF26671610B5746422A,SHA256=1A0C27892C4D8B5523844ADE7C7DC77A145F593F1B5D50FF8BD2DA4273CB0131,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.764{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:51.765{45AAC21C-B357-63D3-AD03-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.887{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA218BC0F77EA73D2FED573FA777FB77,SHA256=0AE3EB12AD8C58A7319D078E062A28AFDB8601DD77B00DE1507C029B2DF97A08,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:52.871{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE60FEBB0F67C1FD440190B8379B0AF,SHA256=045AB78164686D9184CA170FFA8E92B27E759CE2E37CC675906F12B4A40AE0E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:52.189{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C35B21B785C3FAE91C1C74F82C69D8,SHA256=0CE5A22F6A5D713A390663FD2E144CB83944578634E629700EEA71AB12AFF4F8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:53.953{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9A8C183C267EB3A824BAED154BF0F2,SHA256=81150A142DD4D263210E3F9CA2FB07517DD5C650F8D9DABA6F043B73D286A11F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.932{72106695-B359-63D3-9303-00000000BD02}54366036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.635{72106695-B359-63D3-9303-00000000BD02}5436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:53.267{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AF59E0EFC33F1405B067824FFC6CC7,SHA256=9392D22C9E2A676A28D1CB98D1167EDF680DEB48C5C249784F7AB19BB1F63345,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:51.299{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50922-false10.0.1.12-8000-
10341000x8000000000000000320305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.812{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.813{72106695-B35A-63D3-9503-00000000BD02}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.797{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2288417BB9988ECE2255FD1A9E8FD5,SHA256=9DD96A86AD2DCF0ED036EBA1D6042DC442980C40AABD904AF152FA1385E859C9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.578{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=72A1A06454ECCBA4A9F8B6FFA072B9B1,SHA256=0D4B0B64C04D9B7FABA8BE3D42FE3DDF20F3F9C392A05DC5A856F25CB5BD8F06,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.356{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A344CE91AC907E2DF781E2102B1FF895,SHA256=16417B8417B585AAD35985AB3901FABA405DB9DB7A6923473843075A5A2A0EC6,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:49.844{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000320294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.138{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:54.139{72106695-B35A-63D3-9403-00000000BD02}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000320324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.952{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.953{72106695-B35B-63D3-9703-00000000BD02}1856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000320316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.515{72106695-B35B-63D3-9603-00000000BD02}56885412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.456{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4363C020AA16C43286C8B2FA7EB1A58,SHA256=AEE286FAE4ED1781C7A8155D766C5E3EA169CBB637F1DC8BE3915679FAC8C748,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.057{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912D4B7651B5E558B837AE0BFC11EA0E,SHA256=D636B4EDC329EC0C2EB74172D264FC7EDB710E9195DA56FF77A7C3286632B4C6,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.315{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:55.316{72106695-B35B-63D3-9603-00000000BD02}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000320335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.764{72106695-B35C-63D3-9803-00000000BD02}15525404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.576{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.574{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.573{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.572{72106695-B35C-63D3-9803-00000000BD02}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.536{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D626B972B58A57ED56DF5E4ACBCE26,SHA256=87AE8B86D9885391F461A57698A3A1FE8A7920135F564FC27CBA448F384465A1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:56.152{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844036460BB11AC88B00E8A5D489382,SHA256=F0FEBC53D896773850681361DD5E44A6634DE3EB81B0E4494B27DF4274042BB1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.143{72106695-B35B-63D3-9703-00000000BD02}18563160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.731{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDD65C2EB810E79DD89FD3B8A7FA514,SHA256=E2F48613E1B967A15D1F743946B6F5656A5C4898447CBBBD80BA8071E449449B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:57.238{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C181F66862CFA7F86EE4D0E2A3DF5565,SHA256=391DF69A3261BC900EF190D3D620B7ACEC4F402AA6E5892ABF853780ACF2FDB8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.126{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:57.125{72106695-B35D-63D3-9903-00000000BD02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.822{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F923ABC6AADC550184E088715CE7A75,SHA256=E28F91A7A25DE60CF8D30957E4D3FC1280FF724ACED23F658D3B09E72CD5E077,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:56.520{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50923-false10.0.1.12-8000-
23542300x8000000000000000446635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:58.311{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B6B434E97602DEE9B79C461EF27D72,SHA256=81D42A3A0789D69D4274E38356C3338EF8A80E37145D0A155C6A1D2D4A40C1CA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:58.453{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=975A04F65D3768A74817E995DB334013,SHA256=7B19DC295CD51EBFE4779AAB375AD4500ED6CA1957D4568032C8F9E6E7528A15,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:55.768{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:19:59.918{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E19E9F10A313B9FC032AA72C9801C78,SHA256=DF7538E95DE4EC8FBC8A5FF80064B2A90F0BDD403FBE3D3435ACC2996354D359,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.532{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.496{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.458{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.429{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.423{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.414{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.403{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
23542300x8000000000000000446642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.393{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809AC2930A49C97F440A7447ABAF52F3,SHA256=48FBED29F86C35F5D02F971712435C07E3C5161EAF0FFEB4FC31A24AF6822F22,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.382{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.364{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.355{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:19:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
23542300x8000000000000000446661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.425{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369729BB0FAEF8F39C3F0102C559E9D4,SHA256=CA5583426D7107B0500A8BA64A973252F53E8B8A3D8B5ACF4A56ED7070E47E4D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.754{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.739{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.737{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.696{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.685{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.666{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.660{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.658{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.655{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.654{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.651{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.645{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.642{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.641{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.640{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.638{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.635{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.625{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.619{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.610{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.607{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.586{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.560{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.554{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.536{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.470{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.455{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.432{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.414{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.381{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.375{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.366{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.350{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.336{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.325{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000320349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:00.323{72106695-9B85-63D3-2000-00000000BD02}20003852C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001B013C90)
10341000x8000000000000000446660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.109{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.104{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:00.102{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
23542300x8000000000000000446662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.503{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E914A25976215888BE772BBA02E50509,SHA256=41EB8D549237BA3B30F676A89678D0F6FCC33ED1DA3505BCC644B6925A13BA80,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:01.159{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AF0CEC9F1E39B711B85338CE43941C,SHA256=CA77D3C09404D1D32B7E3740FD3690D3CBA4BE8B2008ACF037505ECAD3E4DDEC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.791{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.769{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.730{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.724{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.714{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.699{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.698{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.695{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.693{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.691{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.689{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
23542300x8000000000000000446668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.594{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77697FD3EAD7EC6D7AB80AD51A954050,SHA256=33C0C49692860CD30B72FC935A34936DF6FB00B3672AB7ED910C1666A1DE4F4E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.176{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBBBC1077461D1147C051F5145626F,SHA256=CE245D9400821905FA30E301F92458FAA7C0F4A4168E0808A218FB77B0201AD6,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.184{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.182{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.167{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
10341000x8000000000000000446663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:02.157{45AAC21C-9B96-63D3-3000-00000000BC02}28483464C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108A90)
23542300x8000000000000000446683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:03.786{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BDDF6CE945761C6CDDE99348EB3B62,SHA256=E5BE8931F5439B6AC75722D4B4B3B0484CF0BA8F9F31EFAFB2E38FD6E73645B9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:03.377{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAE62C2D587899173D18BD06A6CBF0B,SHA256=85AB44A2EE3C1CFC8D8A171C3F57690F9C7C205CAE3D315606991A835883D46F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB8FB7C775C27EBFA925E443936B16F,SHA256=74EC877D7A5B6E664B1199DC60C146A05A5D1E765426020C804ED5B631D0F862,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:02.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50924-false10.0.1.12-8000-
10341000x8000000000000000320390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.728{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:04.478{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AD5B64C89D843E32477BE313F40491,SHA256=BF250D13C2F5AFEA21F26CE08359FE4920CF78A8BAEEBBC3E2ECCD43AE223186,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:01.742{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.113{45AAC21C-9B96-63D3-2E00-00000000BC02}2804NT AUTHORITY\SYSTEMC:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\database_C64_5811_6457_FFBE\fsr00007.logMD5=AF4D225B60B65DEA33EF59F92EBCFC6A,SHA256=3FE807AB4B2509D9D058FC62DBB74CDEE8B5C3A1A66265522AF542733FAAA3FF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:04.004{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-098MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:05.575{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21325CC461ECBD7F1B42A80F166B159C,SHA256=23B91CC7D5A3CDE9933F1BC1EBCA065F62161716AA19047FD3A21A7AF5517F72,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:05.002{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.757{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:06.662{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8265681E334A63291C331EE4F28092C,SHA256=F5B79387570EEC18A4F08B9A74857237ED6842A057342C1335C55846220FCC3F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.082{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6A7769EDE96FE7660080724390790B,SHA256=88C637D3854829779105BD58890111D0404EFD13863148F1AF6F0929C04DC439,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:07.183{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8564C3AFF641AA446AF32BF3A20C371,SHA256=5BDB8ACE6D1CB827F2750BF5F845289563A5DCCC62132117A97A7045EA5CEBD5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:08.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2A81FF8AB1071BDEAD4056D62ED7BB,SHA256=E6A4E4245D747D798CCE697F0A22374CEF2BE3FBE946DCD992CC0ED610617CFE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:06.764{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:09.350{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E922C80D1CF4A2355D447E23FCCC4E,SHA256=84DB221F8B0D28E0667D123318F0E25F21699F7726657EAE26C1954EF5F5B074,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:10.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E513B27BA5FF0D69AA099315387FF6A0,SHA256=4781856ACD93C760FAC7CF4D3F37BCD9C820BBF78202D7408F0A0BB6DDE21FF8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:11.550{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9466F704BA96F37B3F33D5727FE08360,SHA256=FDE9557173C0F01FA8FF07FBF94909F4EA5C8434A24FA7D7523AC3A56A143F63,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:08.288{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50925-false10.0.1.12-8000-
23542300x8000000000000000446696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.772{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9809CD800390A5833B300E23FEEA8F,SHA256=F5CDB888688E31B2B544552766010583F8D0DE861A77FFCB33F95D4AA659D6BA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:12.212{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D997E1000D3C66CAC338D026C922815F,SHA256=E33371C747D54570379AE7C805B15721EB430C6CB14F005DDF22FA6C83299DB2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:13.972{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA2179D21707514B31A80B8E43BF2B1,SHA256=314A7533AFA181185755CD281DE0945D5ACB2A5FDFB0379F6F6B29E6F5CECEFB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:13.294{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B58ED8A256B6E3D7B7DDC87B50B1B75,SHA256=1196F0725795CCBC55BF0B461DA7FE557B74882EAC78200A22ECA88426D7B51B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.988{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38BB658FE45C9E1285EA9DA5714AAF94,SHA256=37FEF2E395189EFE806ED416C8AA81943A45D441E2307E6BCFC4E3F63A118AAE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.497{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DF834B56BB8FAAC6DE3E0392A2B38,SHA256=F0D757CEEC755C7DC4AB94C7952EF5D4D674DA2E0C37490D7BA45FAD117C9579,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:15.597{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70F5C80A597C245A5C92EDD52469F81,SHA256=7516D294C77AA3BD1F38B76A9482A07B47E3C5F2C3A91970DBA338E9D888BC0D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:12.749{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:15.073{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4D73BD1420EC1CCF1D0C06B41C6D90,SHA256=860D554570293B1025560A12EB3D3200E6C645DE79C4020939700C01277193E4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:16.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A697C2FA9065013EAFE0A5534AAFE673,SHA256=8ACCBFB169BB17FFD3488669E1999A9D0EFC273F49307648AF0B7A4E80E313E2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.186{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148A156B8CDB6FED0B9C965AAE11B4DE,SHA256=80C39602CE011E89E03790653D17EAF96AF95AEC67AF664765DC01284167D348,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:16.171{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E30F81A702F02EE3C1436A2BB3747475,SHA256=32488F6914C24F6982BD5C36FB6C181CAA1DF0CD20B639087CF649E9B91310B5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.881{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E589BA203A9B9DA662AFCC50702DE95E,SHA256=E05AAC730F3ED670B425FF57C04D5D59C4441BE6414B8E694C87DE192F2D4D95,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.267{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C158F6B532AF7D01E63C5499D4D5F8,SHA256=10B5C519619CBC34A2EA01DE0966592A1BD57E4FC8AA5855444C770978F91346,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.236{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=25928559D4423478D19F40F1766D0278,SHA256=23348DDF1B9FDA908ED7F7B7FA37042469FCDCC0600919827A3BA0B546E06B03,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:17.412{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000320428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:14.301{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50926-false10.0.1.12-8000-
23542300x8000000000000000320433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:18.963{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3CE1784E06077BEAEAFFFFE0933487,SHA256=B6AC6D87FE8C770A1F40DA86A7F0D329ACAF037A9F19B26C78518470AB18CA1A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:18.355{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0299BE4F53DB9885959DF4CA8BA469,SHA256=180C7D18F41B34C7867C9484922F859D99D612C0BEC2C5681923FC35B6EA95DB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.662{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.647{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.640{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.637{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.635{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.631{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.575{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.569{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.554{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.526{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.516{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.441{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.440{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99BF484FECC762A344E47BF9C45F72,SHA256=B2644C8E0DC75B0BC74C920CE0DEEC17932181207CFA76F57C8D768E2F892810,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.407{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.392{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.309{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:19.306{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000320471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.981{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.947{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.940{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.872{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.860{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.826{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.806{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.801{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.793{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.788{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.783{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.773{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.769{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.761{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.758{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.754{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.749{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.735{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.708{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.697{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.686{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.683{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.669{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.642{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.637{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.621{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.559{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.548{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.530{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.516{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.485{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.456{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.410{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.383{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.372{72106695-9B85-63D3-2000-00000000BD02}20002836C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850)
10341000x8000000000000000320436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.351{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.341{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000320434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.292{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF3B4307B3F9DF7A98DACD8BB44CAB7,SHA256=9814CD77D3AAB1E5E8F763234200A07CA4588832AD7441FC9EBC76620BFF1ED1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:17.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.458{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318FFECA826B6DAACF9BC4DF4B23E9A8,SHA256=ACD93D3F09E5F57E03FC39CD2FA77FB2F7AFB9F11D9840A116A0E754B3C2D0E2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.402{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.399{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:20.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000320472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:21.778{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B167133BD4097A67DD5A1BA0EC21EF1A,SHA256=0FE05383A4C89417455BBAE1E676833BE4466A4F4C9A2D6510335290DA407721,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:21.455{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070AE7B0C375FC2DD63B5A39500DE660,SHA256=E10234872A05137FBE563D3009074F7D9BF70ADE1C541416E4C6EA92E9B0E766,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:22.977{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DB100E5C4CC3A64A3E10598E01E57D,SHA256=9A36B8B9EEC745A37DD0A683951CE24CB4D0480F19F9BEAF0BA07ECCC1239549,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.994{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.987{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.978{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.972{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.970{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.967{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.964{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.963{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.960{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.537{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF2F00747C65A0DE28F8A0BA9DEC591,SHA256=A1B530D4D927B0F7DB94A44D7D836317A2DAF0A5669CC32AC3D5F21C9D9B847B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:20.297{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50927-false10.0.1.12-8000-
10341000x8000000000000000446737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.434{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:22.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.624{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041F866AE72EBE71FC1DDCEE7F5955C3,SHA256=46768719E538F2FF28E7F85E4E310086F226315586D0572AD9A1697EFB42CE1B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.159{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:23.138{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.069{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.048{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.043{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.034{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.021{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:24.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5149845FCDA86CC30FD41E5C515B23,SHA256=A81C780D1C2DF3A3915DC4592ABBCB0BA0F671D1ED405BBB852E18CA3CF8333B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:24.063{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4B8334773C8B2C23BEAA0865E2A2B5,SHA256=457BDCEF088E0C5DCD23E6824B3777AE85ACF40A9DCDB24AE01D50FD4F3C3748,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:25.821{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185778E62DC01D6FAFAA339F73F0F172,SHA256=29817013BDF70C1406C4E1FC29D580B10C3F8C8944F8730623C85D97994AF426,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.166{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273F29BA69DF537AE328418F8D489F53,SHA256=353E19C93648070E7A1262439387A4683953D23B3907700C9DFB0BCDC883D072,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:26.272{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBC242640AA643BA55110CDD7DFA992,SHA256=2775E49D47F36A5550EE644C0AF15EA2C6EE578E201384DA36E2EFA62A5746C0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:23.811{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.568{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D371484151D886A6ACBD93D6764528EC,SHA256=B837C371428EC780DEEB8B29C4311AA28BF01936B62435B9EB3FF41A0B96CE94,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:27.365{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BF62233977A9AB38CD79C572FB21CA,SHA256=E4CA7411BB2E80ECDEDFAD79BDCE7E3CBA12D71A63784436EDC513382C3AF38A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:27.022{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5388432452CD2823A8098381EA74622,SHA256=2AFAA8D4A8A2E0F1172CBC8AA94B55F750E1F56B4F6D1A8FF60B61781984F55B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:25.346{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50928-false10.0.1.12-8000-
23542300x8000000000000000320484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:28.469{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1012DE7CC1F704E0299FF8BA9B143A1D,SHA256=5FE772F986008AEE41EE048FC875E5CB6BFA3155EEB43F706CDEC2C5527095B8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:28.329{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322E4AF7561D04AA447F12FBF594778F,SHA256=13B2220207780D5EE2EF72ECFA51752B8ADC04AF5360E49E214F742CD87D512E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:29.563{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4511EB127F2B21107892063983CB2FCB,SHA256=95FB90BF32D464425F1821798541795871D59802EC95122853BEB67D64BEDB83,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845243B512BD020D1F9D03DA2C843CEE,SHA256=EEB3615DF0096DB7A9A5977247536251D93E0E4109D0009C47C929FF4E49E9B2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:30.633{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FC20005AA9E78B2B085E899C9F9776,SHA256=F2B1122CD28225A8883108CB7DD8F8C07911A282F6B48A575C5909C231A09A94,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4056E579BEFFE78514372980C6743418,SHA256=4AFA19F43EE493F641C9FEE2FBDE0485D7E1BA55D681EB05462951F658B7DA58,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:31.762{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9EA80EFF591E32D7022CC40D12056A,SHA256=A98BBCD6AC7ED19630640EC7AB545A287A51CBBE12B40B32E51DF9FA73707BF0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F34EAAD19544FA3D8FD83C30D63E148,SHA256=52F52C380B99DC81B33E010B697A876BEF2C09067F4C977C22058D1D9F035FD9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:32.972{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4056CC26C7816640C40735AEE4D4DBC,SHA256=673AFC48129EB5AD65CBD1D816D4488CE720529E01DCD5B3044C9DD93B46CA7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.929{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C16E697FBA4F2265175A9DF2387EC3C,SHA256=BCF5993C99271B01B9A316DFC7A91A5C83888743D28500E1227CCC8A8A2FF448,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:30.464{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50929-false10.0.1.12-8000-
354300x8000000000000000446763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:29.712{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:34.068{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391CC83E0E0EEFBA574010BB392CCF3A,SHA256=38B8F61070BAD51E53E7F5AFB8B2893CED17D7D9BC207498CB1D7AB9F9A975F3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.066{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3E4CAF5D1FE25AB8E479CB31AD19D0,SHA256=0CC6C943F34ADEB736B2E0655BBE1B31E24F8399B31CF44D9A12A246E1284F3F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.164{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3B4EC5BD6695FA92CF164849A4FB84,SHA256=C18832FD6BA099AC16293AA6282C0EA3E258943FE94F67B584034E0BABF32B40,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.593{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000446766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:35.120{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E99564E01E3F26A003DA70C9365B17,SHA256=568333C22FF091BB7C9F2016DF14C4EC3944DABAD30E1D7F8E9B0DBC24C49CBC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:36.258{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96C1721AEBC953B14CD3809D4F23EFD,SHA256=4EA83FE52A1AD5988B8D51ABA9ADEE8D555A15109FC89DC4C428343CB082C2D2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:32.750{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089-
23542300x8000000000000000446770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:36.205{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEBA81F63196920A5ACB21927C02CB5,SHA256=3B658500F689AB2807DF71F0049F079D126BAD2347A9606FC6801E2A1136F311,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:35.511{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50930-false10.0.1.12-8000-
23542300x8000000000000000320494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:37.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1975795973E464A08EC6227D0116D5,SHA256=34811674FC5B03C0971623784792AF4A992BE50149B1CD85B069F7322EB508F1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:37.300{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A267007CE075160D3E41171AFD5612D4,SHA256=3D39CED1AAF0C2B99A5539A367090C3310467F5416D365848A213B0C465D5BA2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local65358-
354300x8000000000000000446773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.344{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53380-
354300x8000000000000000446772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.343{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local59591-
23542300x8000000000000000320497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.755{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD533E7B19629F9ECCE3698CCEAD57D,SHA256=0723DD95B5307664CB4EDB1BEAABE960032665F1EB46D45A03A8D252E1FFC2BD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:38.271{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0965909D79DDD42587E6C264C9392982,SHA256=16D7E1CA0213733BDD4142840080627963A7639EE80242C034EECB0B8420FE3D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.793{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
354300x8000000000000000446776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:34.345{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52025-
23542300x8000000000000000320498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:39.541{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E4301ED2BDFAE7D4E20A3350F6F9BE,SHA256=92B1CA082E5336EBD749F2D6B1DB5D68DEF303556C7074BEDB617D31F1B7E5F6,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.560{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.545{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.533{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.528{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.525{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.522{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.474{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.454{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.438{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.427{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.406{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.396{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.387{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000446781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.346{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8450BC877FFD3F7DB1D4F78E48288,SHA256=79525B30D4F6253F4050CEE1D594CEA4AB0B634E22B48C7005460EB2F61354E1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.325{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.307{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.822{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.804{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.800{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.766{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.755{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.741{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.735{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.726{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.723{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.720{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.716{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.712{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.708{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
354300x8000000000000000320524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:38.008{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50931-false10.0.1.12-8089-
10341000x8000000000000000320523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.698{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.693{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.685{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.679{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.666{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.639{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
23542300x8000000000000000320517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD573487E4D913CBF0F5FFB65AC95981,SHA256=23E6016CD9EC42072B958D94F67CF0EA529BD96DABD930A581D4D04F0103DF7F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.621{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.599{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.594{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.576{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.558{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.555{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
23542300x8000000000000000446804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.376{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DDA029D90A577E02029DB0FCBB6DF5,SHA256=CF8135B2BFC28D60F0532E6705BE4AFAF019D06007F421EADDC404AF52674B78,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.540{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.473{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.462{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.447{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.430{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.402{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.389{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.374{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.359{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.344{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.335{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:40.330{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000446803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.156{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.153{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.150{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.145{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:40.142{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000320538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.806{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2361354175A6E3A038FB5E1277A80CD3,SHA256=C12F6048AC7EE0705639248AA745778300C401F60AF93F8E57CB77122D3E0245,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:41.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591BEFD8692BEB1DEA4E82A7BCAE1EFA,SHA256=526D4A4D0CFC0FE9CD377A415851BF4775FF2FB8F54FEFD43DE3A99A3D83DDA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:42.925{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0245F09475B69352DFDB08447844A6,SHA256=BCF81BF25499942A32E5538CA356173849D452D4BB03D0CDF14AD460CACB4316,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.815{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.796{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.793{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.783{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.769{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.746{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.740{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.729{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.724{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.722{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.719{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.714{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.709{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000446813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.553{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DFA7C9DF7E6B14DCBC89CE5D01B48C,SHA256=77936B9B2A9896548D199AB0FAF81BB66DDDBA389DF73A5CCF33738B2EBCF893,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.342{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000446811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:39.827{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000446810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.201{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.200{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.199{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.186{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:42.178{45AAC21C-9B96-63D3-3000-00000000BC02}28482448C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000446828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:43.721{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E4ECC0D7AA5FAABAED532EE61BC2B,SHA256=172493BE8D55D19E35247BCE7C71593959F7F94876F6595D9079B03D877CF585,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:44.822{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598493BAB1FDBE09C0B2795FF7A1D231,SHA256=2ABE456EE696E5FE05B6BF205A9BD40708941BFB3E8460FDA1814C31597E1FF8,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:41.499{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50932-false10.0.1.12-8000-
23542300x8000000000000000320540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:44.005{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80A36F43ED4BE405D88E9B16B33F2CA,SHA256=A1CF59B244C0E65A6F49C392D1DDE6F0AB5A10D91246E49705A0A40C6475D4C4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.957{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.958{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.926{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D936C7119BAEDCD9167B697E58409E40,SHA256=13947095DD9FE2D0D15E9D06E8D0B251D9ABAC8491F802C4980DCAD6CD46DE14,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:45.094{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F525FE941B05EAF8AF70FE4619EE76B,SHA256=785ACAC92AB870677D841CBE2482B5AE5681B8C6CC438DD1D9E6FF7FFF1A7D1C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:46.181{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC863D7CF5AFA4CCAC3C46B6BF3622F,SHA256=6F4FE8F9D5AAA1CC422121889123B81E79B2C772E4A8E72648F684DA666E8E57,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.630{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.631{45AAC21C-B38E-63D3-AF03-00000000BC02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000446843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.170{45AAC21C-B38D-63D3-AE03-00000000BC02}48763008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000446842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=26C0E71D9551AECDF53DF6AE336BCC70,SHA256=030798747DD5D67ADECA77827C91EC4245B5F4760D780B8CAA59335F9C08F772,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.075{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000446840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000446839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.072{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B38D-63D3-AE03-00000000BC02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
23542300x8000000000000000320545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.542{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-099MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.273{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C6CD7AB479D9603AF0100751D4EB25,SHA256=6CCD5BED9B02AFE4D6DC6E9B7DC4BC2EB15AD0D7C0BFFCDBA2076C109ACCB677,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.408{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A1B91F3BA43D5E279E235C61722F746,SHA256=F86ADB782C801A363257E8B8D11732AEE70FCD17382D68C176A6420DBB3EBA19,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.361{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E48DC6697706B3CF34036FED758D4F0,SHA256=744E4978D440C122D10B94C7A403D816E9FCA700D646E5F2F184833AC61D7F92,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.132{45AAC21C-B38F-63D3-B003-00000000BC02}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:47.021{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320695F230B49777C1FF9196159A9D7D,SHA256=DB67D0CE05B56507C128446B982763A0751B5D0B793AA4A4A2ED2565970BCC71,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.555{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:48.363{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E621562CFEF6B29CC1E4F3B9B6FF51F3,SHA256=4EC3AE0E8F8B51B872A6D161130229E1555794EF2FF299C35EAE9DDFE40BE4FB,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:45.814{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52648-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:48.107{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44DCD969183947730E377A1DA6538CC,SHA256=64A488796530A2D0C65D470F288BE74DDE664D76F7BD3A16A37CAFF234C5F009,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:49.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82D8B8DF0274B021F4C65DC59A8007A,SHA256=11A0415D2B9B15A1CB1B493DAE0A7E57AB9033FBC81F293724929FF195BC0D57,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.911{45AAC21C-B391-63D3-B203-00000000BC02}53561972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.691{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.693{45AAC21C-B391-63D3-B203-00000000BC02}5356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000446876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
354300x8000000000000000446875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:46.248{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52649-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
10341000x8000000000000000446874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.410{45AAC21C-B391-63D3-B103-00000000BC02}37364808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000446873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.207{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48349CC772F6E5D004B09EAC5E3E0CA2,SHA256=0A2D8E6F077A6397D18625919505C0062208C2C29802BE8A5C63A8AB3FA62932,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.191{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:49.190{45AAC21C-B391-63D3-B103-00000000BC02}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:50.773{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84789003EC08DED80A4AA210C48F911,SHA256=0ED465CB8BD901CFB3869E2C45C4D1FC06DD9FF9ADB2B3021F930EA8BF1B6E12,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.540{45AAC21C-B392-63D3-B303-00000000BC02}43685880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.368{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.369{45AAC21C-B392-63D3-B303-00000000BC02}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:50.290{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4920A9DF9DEE3E4940F7402A0D298EE8,SHA256=8670871B0DD29AC2F4B8CB7F425953E8C597030932C5106DE42F6116C025E637,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:47.410{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50933-false10.0.1.12-8000-
10341000x8000000000000000446904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000446898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.767{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000446897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.768{45AAC21C-B393-63D3-B403-00000000BC02}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.377{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6431CAEAFB18497B146D5AC119D424E7,SHA256=F07B2D1A7784D7E6CAC59516A6B1D7F3983417444DF3073A500E6E992701CD93,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:51.859{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870CD3CC7BAC09421FEA53D352A9E56A,SHA256=5380C8A550F68362B2CD332837576205F199792EDBCEB462144210EDE0D19423,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.873{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FFC9EF0B21DD81F1ECFD7CBDA55B09,SHA256=437B094F6D97B770D6789A3CD57D4199CEDD10D841B11599ADE03E23FA7BDC4B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:52.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D3AD7776C7C04BEEE3CAFC8D6049838,SHA256=EB889F0A0FEC830E616841B578E82FBEC8617724564A9E78610AD9C1964D2970,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.966{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F1E1B30AA4A15142AB6E1C3EE9A6B9,SHA256=F9D1F0595478CDEF551951E6E37E0B36C255EBFB0735A8CC9F2E1B7D245A8518,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:53.781{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAE50C3AF69F3038D8B436DDAE308F6,SHA256=4E78D8BC31FC716846C2148BAF09209E2220211A54B65C0212757F7861DA3429,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.961{72106695-B395-63D3-9A03-00000000BD02}54286104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.883{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8BD50C432523D50DE0396F05B32967C,SHA256=B67B8F6C8DECDAA506622C111F0E80772822D3E67E5A4BE9D323761DDAF6F3A8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.793{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.643{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:53.644{72106695-B395-63D3-9A03-00000000BD02}5428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000446909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:54.866{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FB2400EF1579DAD9A75889779819AF,SHA256=44A4EA3196F518B53CE1D6E1AC9303195CE31872ECA0DFCA924A66A132917A64,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:51.791{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000320587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.843{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.842{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000320584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.651{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1191B08C1C1AB746610FF6455D70670A,SHA256=07E75AB9B507D9697E402FE2A1E713D5B7B3EEB5424F0E940FF0730582F3CE64,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.635{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.636{72106695-B396-63D3-9C03-00000000BD02}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000320575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.385{72106695-B396-63D3-9B03-00000000BD02}43845172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.135{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.137{72106695-B396-63D3-9B03-00000000BD02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:54.086{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61278505151CB9561FDA58A876E6D3C,SHA256=CC730F5EC36A763A03E4A1DAEF91CBE1AE1623E5E8F929C41EDB418844EDE229,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:55.956{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAE3C7042B2D4FE524C373D80994306,SHA256=ADAE613683A383AB324E954BF7AF214A2F0BA69A2554914FDEB068FA86A9A32E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.860{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.859{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.759{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.760{72106695-B397-63D3-9E03-00000000BD02}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000320598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.494{72106695-B397-63D3-9D03-00000000BD02}5988592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000320597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:52.521{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50934-false10.0.1.12-8000-
10341000x8000000000000000320596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.260{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.261{72106695-B397-63D3-9D03-00000000BD02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:55.182{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE083F280940FA066499FDADE66D262,SHA256=4E1FF3D9C44447FF18CCEF55C109D80B38D39A1BC1F0A3563A98716FD19B5ADB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.638{72106695-B398-63D3-9F03-00000000BD02}12762452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.386{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.389{72106695-B398-63D3-9F03-00000000BD02}1276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:56.277{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E056FA5584774E9768DA7952B8F92EE,SHA256=CB3E5D29F6BE3A76603D5292C88C74A25D6992DE9F22F9E8709E7A44D82F7851,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.706{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FBE6DD28E8E87A7CCAE0F6B58DAB5A7F,SHA256=7B234BB9EC3C66D6E22CF4E0DD917873EEDF2C0A07D97A05B9B37690A838CC3B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.375{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA613A098BE2041FB9A697B08819271,SHA256=49550F35BE0DC784503A6CD9FA3BE313DA51D22406AC6D449D8A54D22BB71361,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:57.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B1A818DFB3051B358418793C4B53FD,SHA256=8DF1911223C7F6512649A12270BF837CA623C7DFF6F415B37E490D878C9248FB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.060{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:57.061{72106695-B399-63D3-A003-00000000BD02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:58.471{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A5BF85F7CC7AD24033196E74836491,SHA256=A1C2DE74583F60FFE8F8E01972D2BE64352F8911483C3CAB82E205C81A26045D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:58.138{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFA11222CD699FEC117F706E8678637,SHA256=7C62C6CAD6BFA965CCB2B116343725EFBC1BB0AD593DAFA76077A0C002B73996,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:59.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD2A5A47D44002B2F166D906EB7A0DD,SHA256=56506E933C47B1C711E2239A0F977AF12A405FFEBE2BB8894497A08847C3C53F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:59.496{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
354300x8000000000000000446932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:56.885{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52651-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000446931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.503{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.497{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.493{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.489{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.450{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.433{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.425{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.415{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.401{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.375{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.367{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.346{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:20:59.242{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0624C6C111DACE073A526CCCCC40E97C,SHA256=9D9FADC6B3ECCF0771FE6DCF9C0AE556B861FBB26B3EEBE9FAF4601366BE408F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.701{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.692{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.689{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.656{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.639{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.612{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.607{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.605{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.601{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.599{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.597{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.593{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.592{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.590{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.589{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.588{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.585{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.582{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.574{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.568{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.560{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.558{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.549{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000320647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44803B3F219EAC3894887467FF402B8B,SHA256=814084ACA14DACF991B537C53EFDBDD5FEBC19BE69461FF4FBB6F8716E4CBE88,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.527{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.524{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.512{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000446939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.274{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB58ED00017A37E608E6AABFF648A67,SHA256=202F72E42A641CAC2F1B6A4BB3E8B39E097EDA479A7A640BAA4180386B4CFD27,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.440{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.432{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.417{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.389{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.374{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.367{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.357{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.345{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.334{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.321{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:00.316{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000446938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.097{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.095{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.092{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:00.089{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:01.378{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DB6AC3BC4134B57B4C6B662FC6620A,SHA256=338EC3EDE2B3720EE7EDE77478D6897A5C3F61C9982DDD8EFB5870D5DBB842B0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:20:58.421{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50935-false10.0.1.12-8000-
10341000x8000000000000000446960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.818{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.789{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.786{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.776{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.756{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.709{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.700{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.680{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.672{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.668{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.663{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.660{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.658{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.655{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000446946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.564{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2682A7CCA18E647ADD1933C79F39B443,SHA256=DD775C1DE8EC3459E121662626FCB2DF72A8D3695196713F0958872B8C0683B8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:02.073{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B9AEF7B8EAFC702865DCDC8401855D,SHA256=216C7678582525FBBAFD44140B08E86792165118F93DB1C686535CC797B26251,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.142{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.141{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.139{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.127{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000446941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.115{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000320673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:03.154{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE29B45EA25BE80EA8C2A24998390B,SHA256=4D28F62997078B0E9FB8BFBE28CCE0CB3B810A8AD943711D8D4AB235AA8C29D1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000446987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000446961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:03.361{45AAC21C-9B85-63D3-0D00-00000000BC02}892912C:\Windows\system32\svchost.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000446988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:04.148{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2AB67E4324475B1ECFE155795363CC,SHA256=796B2A9DDDECBE869C97592AB1D93FEBE7DAD11D0D3EC22AD8576E66811E8F53,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:04.249{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56D005E2FEC10B7E1F61ADA99D39B5D,SHA256=44318487D1984F120E0B224740F5E6CCC6A7D7D816FFCB69F622F5654092214A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:05.817{72106695-9B85-63D3-0D00-00000000BD02}7963468C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:05.348{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000855E3CBD935CAAB4EE16CCC3034D0,SHA256=8BD6F44A99011F4ED797E3E1D49454349C07718B5F73890E0667F8E535B61F96,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:02.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52652-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:05.535{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-099MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:05.295{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC580FBFAA8246ABB7A8D5B01D62E45,SHA256=E93CB3420B2986246DAF784D688714284566CB991A5F3BA71054FC5F9939A0E9,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:04.314{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50936-false10.0.1.12-8000-
23542300x8000000000000000320677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:06.440{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB4C5DE26A1D0A0963FB845212F036B,SHA256=F4D19A9BD841EC5CA348E3571C3DFDB34DC4C565B21DED8733352EFD95D20F64,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:06.546{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:06.388{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1C26CFFB6FC29FE9F7848917AED59A,SHA256=933567216B47B6867F9224ED78741C4AC1A367C5463616082CF82C7122D0EC78,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:07.530{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B239E3395728FADE226B94AA2777F18C,SHA256=AAECE574968B8C0EB523E12520EF4DC66FFA69227100E7DB6B89E59DB2D3C74A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:07.486{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BD0D9CBF8A20A9DA9CD8C0FF4B205E,SHA256=9667BCCCB7D0B943C5AA5D29B5795394FDBF5650DDC311CB1F049B9A47B13504,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:08.629{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8343617BA2BD7CD3E39853B57639300,SHA256=FEEA15814633D7176E484924F7AADFB7B37B1F6CA59B9C7F8ECDFBD6DDF719A7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:08.565{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386A920848EC9C67307C77D913DEF5FF,SHA256=DEC4EE1EE6526007FF44BF3DA2FDC8F93516577FC918453A6E2ED4EDBC6EA6A8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:09.730{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5352822EE6DB2BF3CA944F01FFC34D31,SHA256=B68C34F85CCECC03F9C97B5F4D18E57CB9EDE5D5CE5AE7A8664FC255E3ED99BC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:09.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34FD7AC55693C24B9316ADA301806C4,SHA256=22C28DE70B291B06B34677F213F58DD84EF279E062C0CF4C25843ABD96BA9C79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:10.826{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E0EF62BE8072F8ED3ADE6D4E9DB474,SHA256=652B848B83FA6E39F1ACD6E61CB97B87ED7602FF3E68DEEE23D6FAAB68AAF196,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000446997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:10.737{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0198FBAE7B95CA4C4CB4573D1056CB9D,SHA256=0D14801BBCE917FAA6F06EEDF505C131DD2C102C38462387DB7497685DE797F2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:11.923{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E996DA48B61D9255186D5657A567335,SHA256=A1EBE2ED496BC0E1A7FB8CEC831B85CB1C6BB2C9E31C022D48F590A7B53443E4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000446999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:08.746{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52653-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000446998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:11.826{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E17A7C336F292B3CAD12A01C0FC03C,SHA256=E1ADBB400995BDA662EEFD4EDF9359BB27B77C1EE475382FBB7E2AC4D0663FB9,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:09.501{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50937-false10.0.1.12-8000-
23542300x8000000000000000447000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:12.925{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE630EDF78C45DD2FF3CE4DB9830ACB2,SHA256=51B0FB08E0C04E8348FD4AC4990C2F60F47D9C91B6CD3E2499D93293E5006761,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:13.011{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4F34153CAF3F9CCCB072B7F7CC023D,SHA256=A145A8A5D0AE3E0406542BD9E1F68F4724432B668E6DA25D344D201AC9703B37,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:14.994{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=314A990B7F8323AB813B5BBB4DA74BC4,SHA256=F663C70415106C0F416EBE9B9F2154FF671D9648B649453A926D5270696F0E51,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:14.108{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4F5875E073CF0E04F1EFBEC38A8121,SHA256=44903232BB7BF4FDDD2C3A01B7317694831207FE9328335D5D65A6688131CC01,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:14.017{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0EAB1902F8792297DB2250986993A6,SHA256=F9A48BEE7619655BCC9928DB74FDB4E86053084680BCD5905D90CB1C6C4CF825,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000320698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000320697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e619f)
13241300x8000000000000000320696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x160fd2d3)
13241300x8000000000000000320695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0x77d43ad3)
13241300x8000000000000000320694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d93249-0xd998a2d3)
13241300x8000000000000000320693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000320692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x005e619f)
13241300x8000000000000000320691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d93239-0x160fd2d3)
13241300x8000000000000000320690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d93241-0x77d43ad3)
13241300x8000000000000000320689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:21:15.386{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d93249-0xd998a2d3)
23542300x8000000000000000320688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:15.199{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF29F4E36531BA85956C1BBDBD7BA08D,SHA256=AF777C830D9538DDC1D62BA203DF1DF7440139336ACD5FE457B4488AFBBDDC26,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:15.118{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6447253922C7BCD05F04C7D3B692F,SHA256=A7385201521C84DD7E9A7EDDED526C46B57C17CE55FFDB4C3F1806A097B830F7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:16.295{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06980D05C7C6EED4DDB83ABE132D0B6,SHA256=507F601C65B07EF93F9B04815E0BDA013EDD70E9A298C542FAD3827E6274C9B7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:13.848{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52654-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:16.223{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A71426151A9481A7343205471C4C1DA,SHA256=718975EC1334A61CB4E11432D68850A12612D13F3F7295CFB6479B855812BDA7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:16.175{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CAD96115E5E5BB3B5CC9EBB6D1AD0BC2,SHA256=0A933AF96C8A0AA89C41F9B93DB31200A4C0D0C0BBBC6A08F87FFF6954D37C17,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:15.390{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50938-false10.0.1.12-8000-
23542300x8000000000000000320700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:17.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF16E5B54666C0706A38F828D30F85D,SHA256=90EA273F87A0A23238F1CE6DF54BAF7A820A939C6DE94EFFC700F68615B87DC6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:17.571{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3F14CDE68856A317E76A1ED1A232D7D1,SHA256=4B0F5B948D73438525A1DD2C2F6150A8EADC4A379F9522E96F7DE451BE6949CE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:17.220{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6219D352CA8D110DF92ECD5ED38D3E4A,SHA256=DC76787959CA4AC8322137488D403EBBD9B19942C9D01A2D25101A3FD9597BFE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:18.490{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A4F3707C69232CA23F2DF6F853838,SHA256=D23C46BC3AF2999368AE98A0645F981C77E7E9C2B298405DC0C300B70BEA3B4F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:18.318{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84AAA54A648F851D8B1ADD26DBF3C25,SHA256=20F97E11EC95F5A73BA385ABEDF985E1F61F5F333F6E94F457ACAD0A4562C834,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:19.579{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3FB5929202917AB09C61955E29E4D9,SHA256=FD78D518AAD21612EAAFA30D6FDA6CFBD3DA4F95B0DF07374A85662106C9E8F1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.606{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.590{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.577{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.573{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.570{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.567{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.528{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.515{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.480{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.467{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.444{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.432{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.406{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
23542300x8000000000000000447014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.397{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53442C613AC75D7EDECEA9342A5C3254,SHA256=6E0B487179042E0ADDC32D966FED1A8F7FBA315725FDFB7ABB459EC6D54B2825,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.395{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.363{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:19.302{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000320741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.771{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.758{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.754{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.720{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.715{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.698{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.691{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.687{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.671{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.666{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.664{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.659{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.656{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
23542300x8000000000000000320728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.654{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8914CA9F1536999C292C9EFFD407CA6,SHA256=50DF01D23A06D2755268D5FC9984D9EC1264806DD79D017A7DD7136E4A9E18E3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.653{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.652{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.650{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.644{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.639{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.625{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.621{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.614{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.610{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.600{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.582{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
23542300x8000000000000000447034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.417{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=674CFC8182E57BCEC470DF76D4027A30,SHA256=20577F151631BADF63E25673E638811A78089DD48A537175F26A8CFB673BA6AB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.579{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.565{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.514{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.502{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.492{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.479{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.464{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.456{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.447{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.433{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.416{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.366{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000320704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:20.362{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000447033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.245{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.242{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.239{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:20.236{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
23542300x8000000000000000320742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:21.736{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CD9026B05747F7D8332351B899EB53,SHA256=E2D155E9537E300CD31212814909B0E2B61322FFD519387197716B8F2E2B11AF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:21.630{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB5992836879C1C27C421C536B24FFB,SHA256=1999835DA0FBD97A920ADE1BC9DF0A01ED22695F1750A1AFA625F209769A28DE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:22.828{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C32A63BB5E7908C74B96080C2FC3838,SHA256=5A3D58195418E0C4813CF0497CF53F66F4862C7DA436DC0BC9039B3D43921FD9,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.917{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.911{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.900{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.887{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.857{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.849{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.830{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.828{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.824{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.813{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
23542300x8000000000000000447042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.718{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760152D3CF17ED9DC8493F1A9D53A775,SHA256=0EB8D5A932EAC91BDAC7156D31EAAD550BE68175C3BA184ECCFF9D18D18C5B3F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.303{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.300{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:22.282{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
354300x8000000000000000447036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:18.928{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52655-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.919{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62291418B759330DD879CC0681E1CFD7,SHA256=D8BFAD913A61890C90F6388130ED1EF755B9ECED7A8EFA491D24201A17D2BE88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:23.876{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342E37D9A63DAF2A12437855D9453DC9,SHA256=1C9B2E5150C4827F92B9C1166C5796CF1C9FF4C47214422C734850334285F544,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:21.398{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50939-false10.0.1.12-8000-
10341000x8000000000000000320747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.161{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.161{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:23.139{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:25.080{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC172BAE7F216EDF909DDEC2D6EEB99,SHA256=F9539B5E018BF0E6322243E92146CB461C2C0B53C2D8B714ADA7A74E611B2C51,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:24.999{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33435D48A74D8F1939178D5914BB3627,SHA256=333676AF8188430FB9DCA7E2F179D2EDB7994D57F8D1D7933EBEDB8436F5A323,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:26.087{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A87DF1230B8C6C23B71628F8A9D1432,SHA256=56B387A0D152D38AD1EC95DB2AD2A96159B900ED3E954D2FE5E6ACED4F0A0B3D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:26.286{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCD5766463DAE4CE0164F450555C0D3,SHA256=BD6450A57A45C231433F5018C4E097934D3A605F74FE36EDD72A0F3FBC621128,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:27.198{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC94DF60215FB522A58481F9EBA16EA,SHA256=74860DF1FAB9D13B27BABBA41C163DAE334F45A404718000BD477A6162806241,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:24.795{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52656-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:27.491{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74515AC2C362C23D962B36FB14EFAD20,SHA256=EB313ED357E8B92967286D37B35430E73EC753C1250C1E21CAEA91FE52DDD55A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:28.574{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8146BBAAA54AA160BF4C10042580C,SHA256=97D00AB7A2B30458FEBE8C700F9D12930773F1A62E575A568891E434C5F90312,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:28.300{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4867EA84CFB6F4F34B8CA585812E58FB,SHA256=71D66A4A9B1DD6DBE778E6C833B393AED3A884523F77D5CC059B25FA6D9EB4C4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:28.064{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B2F5BDEEA495E65149F453009F645CB3,SHA256=816E5D07EE712116811BD30ADFDF47F55E4A47C3371A3DEB94DE0BD9533F96F0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:29.661{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8C89CDEF22E91C60BE906BE74F8E27,SHA256=8092B0B36FCA0B13692D071D7952E54B1A984318F4B2DE580B14C39EEA442BBD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:29.393{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6FF60114FA6C06DD16C801AC243A70,SHA256=36619EAF7CF10E0D743553026F811089EA545F3307A5D44546B779BD63F5523D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:26.482{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50940-false10.0.1.12-8000-
23542300x8000000000000000447064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:30.741{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5EDE2EAC0B52C2284299E7927B4D76,SHA256=95E418C150ED5018F566A12E34FC8E798F53DD81977AFE135CA55AD83C02064F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:30.485{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5974BD570F2B2A6EC2F24552D8107CF,SHA256=134EAAE2965FA2857D8902D7B0C61A866F13C0774BA326704A734756CDC54447,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:31.837{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78ED6E4D0BB6628A3EC9D871EF3B23F4,SHA256=85F9B2CA1DC467BF1893E1978FBF5E5F583160C3C87BEEB50C6E970A33253802,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:31.670{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CE1208A9E6FB70C276E0F6D77290542,SHA256=CDE4FDE5908160FCC07715CF12364276E692431BE53A1E8A825CF97D6B710ABB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:32.919{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7324DF457703504723D60E0167ABC867,SHA256=654460DE0E1B131EDCCB5A72FA4F8E94D0F346E6AC6109F5EE234B4D3FFE278E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:32.760{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B914534AFC5E62F553E1CD41CB9EAA,SHA256=59B950EA95B0726CE76DAD70A75FD9E21ED2809C43071A2B73C876934CC087BC,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:29.815{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52657-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:33.862{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646296D85A950F6F8BA89920177A248F,SHA256=CBB35A7F57C6F388F83A12B47BF6ABF6307BB95BED3D743186093B4128D4B425,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:34.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43E43F798DFECC28114B9703036DEA1,SHA256=02FF8B98A33096F7B0188FB41D23B761DECE91539239BCAEB992FE731DC19640,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.083{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.020{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E903DB567EF7FD25DBD2C972604D15,SHA256=04087EFB5AB417B4788F5A8CEAFBF397776FC25BADE6A185EDDCA9CCEBA3CAA4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:32.767{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089-
23542300x8000000000000000447070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:35.117{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB9E8F36CFD8985107FC214D20BC0FC,SHA256=7B48762F4346BF9F837C0CDD9BBCF15905AAB78F09D7813D67849A461654539F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:32.469{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50941-false10.0.1.12-8000-
23542300x8000000000000000447072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:36.218{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4546D600121E5170B23787AB837A8C,SHA256=B6EBD333F9190D9D9475D2306A1FEF81DA8F860E35DC0CBFD71D86CE1ADBFA1E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:36.041{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A4DCDF97ADC04418C4BD4CF3555BEE,SHA256=D15884BC47EF6B89C8F2887C0D36CD72209217EA10F6B2FEB1021338FE3729EB,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:34.917{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:37.318{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5BCBF62B4FAD8FA7459199554BBA7E,SHA256=93CC28DCEED7DF7B9548C110DCBB1104010F96C0191512F53BA136AAADB29445,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:37.152{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8819B12CB21F738C1DFC583CFEEDA1F,SHA256=D7B7DCEAF0D4F7E2E9DA64F5AAF8590EAE16EB995036327E596B5872C924D20D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:38.515{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2226ED49691E2DF51B9765522489F173,SHA256=6329E1DE43C515DA1EA21E2466F3666F564240ECC07DC60C703A094320B82031,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.774{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.252{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E911E5839EFF654A90C4A581D9E17C89,SHA256=3D1A8BF1C1AEBA04A99C799898378349A9F2406DFA7457CF0843BBD04AA7A354,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.706{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92636372852C2656EC16CE3CB7A9D7AF,SHA256=F3765AAF7333262B91E8449B7B01CB41B9C3AE1AFAEAB76FEFE24053D117E909,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.597{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000320767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:39.354{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01539140FF38944A4D0EC198B30AD554,SHA256=A8FE7C6BE759CBA49436D0AD90797F78170835628032304231C42841B544AF86,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.580{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.561{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.555{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.552{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.549{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.506{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.492{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.466{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.445{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.436{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.421{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.408{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.370{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:39.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000447101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.640{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348DFFAAFF4FBCBF0DC034090BBBE178,SHA256=780C00E5A8582AD97080E493822BEB5DCF481A1B5089645CFEF1AF69981050E1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.779{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.763{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.757{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.714{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.702{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.675{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.664{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.661{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.654{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.653{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.650{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.644{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.643{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.638{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.637{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.634{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.630{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.624{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.611{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.604{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.589{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.585{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.571{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.548{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.542{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.523{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.461{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.450{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
23542300x8000000000000000320778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.436{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D0F0807CD4FF9F03F6D4B37EC3DA85,SHA256=0C4F2652FE173130066957DC131D4DB4A5D60D86F7D711B5824EA9B582909478,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.425{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.409{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.391{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.380{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.368{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.355{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000447100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.237{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.234{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.232{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.230{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.228{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000320771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.337{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.326{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
10341000x8000000000000000320769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:40.322{72106695-9B85-63D3-2000-00000000BD02}20002892C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084850)
354300x8000000000000000320768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.027{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50942-false10.0.1.12-8089-
23542300x8000000000000000447102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:41.750{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EA5E4D65487EA309F7DF0AC6895095,SHA256=F6987A1A02801A640292A1CB6073BEA11BB2501421ECFEF47D43188912629A03,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:41.756{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B9161DDF781FA14F482D08178EAF15,SHA256=5290A2330E19577593C6A31FD14C655CD2DA0091D100689A4705A9C0BF521968,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:38.403{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50943-false10.0.1.12-8000-
10341000x8000000000000000447126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.969{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.938{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.932{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.912{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.842{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000447119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.829{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C75B7F006CFE489D714565444FA9D1,SHA256=9B716090745036A3CAAE4E6BB560695F02CC10655166F15267C86861A1C8127D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.812{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.810{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.806{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.803{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.802{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.799{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000320809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:42.842{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4621C2336E78A3448C6F053FB4A3573E,SHA256=3C8803D9DC1FD42705EFA15039947ED7D9FB414A31BF674120B677610E442EA9,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.354{45AAC21C-9B83-63D3-0B00-00000000BC02}632756C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.337{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.290{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.289{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.288{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.278{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:42.271{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000320810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:43.938{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCEFBAE15ADD822B517E670CBEC2444,SHA256=934CADA93FC5B259C6C040B1C3FC04190BDF5B078280E5D88DACC28D196F5C4F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:43.914{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F067AAE9DCA92829DE1C8FDE2B220F65,SHA256=81F08A99AE3BC7A397AA1E78D0EBFFA0B11FF99023C77ECF423384ACFCF47F07,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:40.858{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52660-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:45.260{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28821DE7DA7775E6688B59FE4389CD4,SHA256=A572FF1F30428466EADC7DB2034061E4A98B0D9D9E987F643B6C7D9EA29500CA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.967{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.968{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:45.010{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AE70893F214BF8BFC639EA911A78D2,SHA256=2D32123C38877EFF158FE48B7B3DE0B1EEAFAE686E87D18EBF08CA435A86A450,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:46.343{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09964F116ED246330BFAF65D8B365357,SHA256=140F80BEE48099A0C96D7C6BABD8983081E071D6E43D4D8767CDD08B3DAE6A2E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.749{45AAC21C-B3CA-63D3-B603-00000000BC02}54042144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.546{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.547{45AAC21C-B3CA-63D3-B603-00000000BC02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.104{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFA28C911FEB77BDD37D5BAD665491B,SHA256=3817E120570E56C5AB12AA768FA9F9C24B5ED7FDC8516DF11A36E6A2A76BE3E6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.088{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3AC92E251F37B91F851F13313F2E57B1,SHA256=FD04CE4783AFECB0BB25B5762379D176DF98ABE2C0CCF5F6B45114BE30E2E2B4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.040{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B3C9-63D3-B503-00000000BC02}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
354300x8000000000000000320814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:44.400{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50944-false10.0.1.12-8000-
23542300x8000000000000000320813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:47.545{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83B3442A87C517987FC7A8E7E2B16FD,SHA256=FB468F76EEF68164D2955662953F4D9111B865D8E3CA18956A9CD24C1A0FBFF6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.706{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CE9C64865E7F462CF025F6BFD2B4CF71,SHA256=3FD7661F3C5FD5136873BCEB28CA09E58900DCDFC023C24AF973377C986BA5FE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.206{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BC9CC95DA02CBE13408AE7939DA6AB,SHA256=0ABD552555C21D247866BACF68476CE8BA6D0442576A37A96C7E3462FC39EDE6,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.173{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.174{45AAC21C-B3CB-63D3-B703-00000000BC02}1580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:47.079{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24632734BD62802A460CAFC92D381A7,SHA256=763B41A54EADE044088A2CAF0CBD4D9288A3B8E5E6DC7A6413055082F9599F1A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:48.650{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B3C69F74C590824B47B9E6D250D06B,SHA256=7539A298FE0AA58639C9E2AE4D4E7EB0FF5C5D6F9D39B673ED4B1BEE00DB3BD6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:48.285{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658F8195DF8F42B5B4194B80E1E8E6C4,SHA256=8C55221CCFC5C3412E2680F78D001F3B90D1305286C04F21C5BD7850063E1DF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:49.850{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C848F9670F361B4E0C6D94157B6BD3A7,SHA256=3D485F9680D7A4468C707A95CA28D104C5275478FDDB3CA32A57D2D21600C49F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.949{45AAC21C-B3CD-63D3-B903-00000000BC02}31205644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.683{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.685{45AAC21C-B3CD-63D3-B903-00000000BC02}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000447175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.402{45AAC21C-B3CD-63D3-B803-00000000BC02}40041120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.387{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C10176E214D013F9F1C431F3F9E4AF,SHA256=9A6B195900CD0E8D833A6386C6360B4168524899AFE3D0488DD3EA9632F11092,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:49.089{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-100MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.249{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52661-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
354300x8000000000000000447172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.249{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52661-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
10341000x8000000000000000447171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.182{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:49.183{45AAC21C-B3CD-63D3-B803-00000000BC02}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000447195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.627{45AAC21C-B3CE-63D3-BA03-00000000BC02}60883812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.471{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0E2A8209FABC30BF5DBA38BB59B676,SHA256=C48A98BBCC8F66A36F2F63443BCE012694CEB8F422ED4D79CEE395FD08946E19,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:50.101{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.361{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:50.362{45AAC21C-B3CE-63D3-BA03-00000000BC02}6088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000447185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:46.866{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000447204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.729{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.730{45AAC21C-B3CF-63D3-BB03-00000000BC02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.573{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E79292E3A96FC93259EF6139B8BBA3F,SHA256=4DF7146DC36E4C912500B87F5317A1BBDFCAEF48DA9FB1ACEBCB72748920ED8C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:51.037{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0609C0E45135942DCCA73519FE01D00,SHA256=E6CE2AF7C4C00BFB3DCF6EDF1342862F5923E3D8005271D079D4AA0CD7C5B7D1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:52.846{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2A6E9BD8DAB9476BC59599E82A4DAEA,SHA256=93AAAAAE1E67764AF5D65E2E368369EFA5E3EEF277D3ECB7BA6C0F29E1F46C37,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:52.675{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899779A40040BED46597CD7FE455D1D4,SHA256=14572EE8E981376F9DDEA7E4D8310A19EFDFE1E02472C6F0D174AEB7049E421D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:50.368{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50945-false10.0.1.12-8000-
23542300x8000000000000000320820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:52.118{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AFDC75398A2D8130FA0A7740110018,SHA256=9FC3A90A1BF3AEDAC2635272202F74754622DB7FE3FF7744D69DD4AC75C75930,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:53.768{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E64031312379B694D58F59E562B9C47,SHA256=C972826CC0B40EAF08FA180956549F2576557B7B3F28F2416E553563AE70DA1C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.833{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=084582649F216365DA6D0ED1C818E8D7,SHA256=7E4B85B09216794BE618CEFE00A2F48DD3413621770B323F4F3DF0781646AEE2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.687{72106695-B3D1-63D3-A103-00000000BD02}39323336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.512{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.513{72106695-B3D1-63D3-A103-00000000BD02}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:53.215{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB594DDAFC937932E989E314A62C4FD,SHA256=25BB90C65D74E66F19A3FC5F3916292858956A4CB2EEFF78723B488961D89F2F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:54.855{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0D0BEC6299363D29B952D3D2D63620,SHA256=BE0D96FF6FDA67C350CB4F3483C2994F4CEA35E3723370C44773C5A2D1163982,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.832{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.831{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.829{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.828{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.694{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.695{72106695-B3D2-63D3-A303-00000000BD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.600{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C9C038FFED7617B305C2B16FB27EDB,SHA256=1059972D92038A8CB4513C09B9CD28435F8D07A02969216DA955C4C568441188,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.397{72106695-B3D2-63D3-A203-00000000BD02}57645760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.303{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AE6D9AF1B518F37E260C2950DB67D1,SHA256=412C013E7BD19AD7652C49E281E38D79B38F1ED09952DB265E648C70214414F1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.194{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:54.195{72106695-B3D2-63D3-A203-00000000BD02}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:55.957{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30929D82FEF0EB06A0493E54AC71394B,SHA256=61FFE7C48D06E9F4323ECC7DA8445F5961E1C2F73185B44D8F43F630F10ECD40,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.955{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.954{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000320874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.865{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.866{72106695-B3D3-63D3-A503-00000000BD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.397{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB9CF9A278A7E78D1A45EC23A90DD2,SHA256=D4094C79BF2D13BD062E697CFB85ECF13BBF687A57C3CABEC877251B18E0AA90,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.365{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:55.366{72106695-B3D3-63D3-A403-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000320891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.746{72106695-B3D4-63D3-A603-00000000BD02}59285952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.538{72106695-B3D4-63D3-A603-00000000BD02}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.458{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FB60E9BA96EE3B7FB48AD22499B391,SHA256=26E57F0FBD611D80DFD7790FA95991B563E92622882C1797083FEEA1269CA9FA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:51.934{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000320881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.053{72106695-B3D3-63D3-A503-00000000BD02}58645908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000320900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.562{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EED68BFBD35E3F9693A278C96C4BA0C,SHA256=F76939537798E974B22B6E21C6B6546BB1AFB48B773502DB4BDBA815688170EF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:57.055{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FF50D90DA6EE0B743AF5B28A9ADF3A,SHA256=1A82AF49CF48D1368239C0231D2C057F7C99448CF27FFA183C3378C17DF8D02F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0C00-00000000BD02}7322608C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000320894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000320893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000320892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:57.203{72106695-B3D5-63D3-A703-00000000BD02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000320902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:58.647{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE860CCE2FC51F29505D50F17F7312B5,SHA256=D7F0F87E9978D742B264F2A4D7EF77A0BB0F93DBE286A9CA6CB0C45F6F399D6B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:58.144{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F826D1335FBDF4C0FFA9E63729E4A11,SHA256=D119C0274330F39A1B4741475AD054882A62C5DA569E2822A80FDB51CB35274F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:58.059{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=574CD442FEB584AC4FCDBD289B662351,SHA256=552A05E4DD272E5F541CC1BD0251509D898DCC067FBE26629462686FFC6AB0D3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:59.745{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F816758DDDAEEDF82908C529494001D2,SHA256=0DA6AF9629F1016D9E9B681305DB49B663CAA44FAA92B59EE09B47FE2886D55B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:21:56.329{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50946-false10.0.1.12-8000-
10341000x8000000000000000447232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.546{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.533{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.524{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.517{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.471{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.459{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.427{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.409{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.390{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.368{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.358{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.311{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000447213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:59.232{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED5AF4F6A42DFA1CE5A83328DFD8615,SHA256=519C292D72B865650A35387655CC8A0473BB207CB74AF84609FC2A2D11F42379,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.987{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D85A98A7D5DACE870808AFCAC4A50,SHA256=50A3AAC8DAD33C9D295582D930DF3DE6D1ACC60A360A4420C65C289E0794AFDA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:21:57.837{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52664-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.352{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1125C03CC60453261C073D4AC0809A2,SHA256=674BAC696EA27780E3824F4812F7C06C965C2330BFE75F0F0271AB2331A42636,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.640{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.625{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.621{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.587{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.572{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.548{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.543{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.541{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.538{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.536{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.534{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.530{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.529{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.527{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.527{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.526{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.524{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.521{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.513{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.506{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.497{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.495{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.488{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.475{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.473{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.463{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.417{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.408{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.400{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.392{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.382{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.375{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.360{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.350{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.341{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.330{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000320905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:00.327{72106695-9B85-63D3-2000-00000000BD02}20002904C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084610)
10341000x8000000000000000447237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.156{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.153{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.151{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.149{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:00.147{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000447240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:01.441{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6C2066238897F2C6A0CF695C246F6A,SHA256=05E8BFCD1FC586173F8131DAA7D82C6BF94684C816832F819386E06A92911A80,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.859{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.839{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.836{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.825{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.811{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.771{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.761{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.748{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.741{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.736{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.731{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.726{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.725{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.722{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000447246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.533{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C30325BB5F4E11C685BA5A803FD65,SHA256=02C6388AB51CE33459CC09A170A0CB8CEA2F6A9AF39BF04D9665A433110D2B06,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:02.107{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C056ECD859CADE28E10944E04F920B2B,SHA256=43E3732A5098B26683BC7574AAA68E3FE929B48365864FD2C42386BEBF613FCA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.212{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.211{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.209{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.193{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
10341000x8000000000000000447241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.180{45AAC21C-9B96-63D3-3000-00000000BC02}28483228C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000015ED43D0)
23542300x8000000000000000447261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:03.599{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C3128F3B6BFB9FA0EACCDB697166F5,SHA256=5409800C2275F9BA941992B8E168F2DD631655B5E4E323772FBCC748565D1262,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:01.344{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50947-false10.0.1.12-8000-
23542300x8000000000000000320944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:03.218{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7439C5BC6A2346A6396F3519423A6FD7,SHA256=855CD042DCACB72A0AA40139729DF43843B860A4AF57CED81A76BC3C52460433,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:04.685{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DA44CEE8340512015DB0B3E28FF328,SHA256=234BF57A0AB09A4B2549E6AB75DF916B26DAE542293183C11BB1376A20D9634C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:04.311{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808438B0A2E71386BF6C320D65F3F1B6,SHA256=326AB46A24F8CC3579EE93B8B46935ACA2BC5F794ECB6F60DA2732BEDF34846C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:05.764{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF74B124F4115867EE89CB0AFB828E16,SHA256=76ACF8F02490E773903B6964852D74A8FC245307EFC70B578F18C1AF06D0EA58,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:05.395{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26111B0E201C393EDEB33D4144C51B,SHA256=D9A0C1B3E67691CC8D9797925A1C83EE4FAA95FEF0BE6C74450AABA025535FD6,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:02.924{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:06.865{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721754CC6A7CD08D2B323B98E41FFE39,SHA256=3B92BC20191AC4009E9D0CC9E7369F095BBDB3C3141708D29184B7F669084CE9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:06.494{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8AC5B3959E3345F1F39B50AE3E91E1,SHA256=CC4E6B025B28E282A8769E23CD838937C97B0F11AE656C2E7FDF1C5E448A3610,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:07.935{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FD361059681C4301A238D3004B5A8A,SHA256=CAE627B742FF571B82368CEF316E23985676DB0DDB32D018DBC0D940F7B1AA9E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:07.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B502675502B252C6B564460299C17FDE,SHA256=66C366C2FA113DC6E5825A1F1EA6B8031C960C7EB8209332714F2222D7BFA6B4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:07.071{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\respondent-20230127093833-100MD5=ABD21C848C86C8C4C327246443A18885,SHA256=621828FF48080C628607F27990B50D4C7839DD5149D1A5B05A104AE9C04F6CF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:08.675{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3817103C9F0F8D4EC269467BDECD82,SHA256=D627F44862C98CA67B1F109203851B0A278B394B6BB6F0883B77284616056CAC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:08.077{45AAC21C-9B96-63D3-2A00-00000000BC02}2608NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-008e8f41085a2823b\channels\health\surveyor-20230127093831-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:07.307{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50948-false10.0.1.12-8000-
23542300x8000000000000000320951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:09.770{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CA749293DE7CC9EA2730BB20518186,SHA256=68BD4A7F1D44995C4EDDA6ACC114BBDEE4DF2263228C1126BDBCADBDDC0DA0A1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:09.127{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3749548CC4C8FC891379343E2523D7E,SHA256=536D48E4A9065C7A0BDF7CCB73600C710724BF7306E72916BF718440AED6E849,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:10.857{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBA79C913BF0DEE3D3F725215294C03,SHA256=A31A25A4ABA3BF9B9018DC8E61916E0A359D646720606FCFBC2BC471FBC3AA89,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:10.301{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AE681ECA4D1C6ECE6452A6F43E8F46,SHA256=8F86FB840D129E3CDB29745A85A9E54AA910CD084676A91ADD56FCC39F93823E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:11.945{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2049362D7305BB73BF7976E446C5A4,SHA256=AB86E58152F08FD39B1672909C02BB9ECC627EDE530CDD81236E55D2B6A6DF25,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:08.828{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:11.408{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4711D9043258F433A1B215BECB8D237F,SHA256=0C9811BF875605AD5E74B83E0D8A8A109022C6917237B0B6ED1DB0599796CF12,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:12.496{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CBCB6AC2EF72A000091459ADD85CBA,SHA256=CC7A6702AC9BBC12564A56D843FB13463A2385635FBF6BEF6BCB355489558689,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:13.568{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030C1339C8A0B4DB71F360A067670722,SHA256=890C947539DFCDCF11531F8A143B1423BD40C9223A169C6E12A87B5DB1E9B40C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:13.022{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49868B8ECCB131BFBC58C3D8A7A510EF,SHA256=59BE93B812357F2C3E66DE35F5E7F03F59E39CD44A735CFC1DD001FF6E76735A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:14.670{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D394577CF14EC3FE196464998A33599,SHA256=3BC2E15CE539C72792AE1685FE11038D6D0573FCDA8BE0AEE020DF47842012EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:14.996{72106695-9B85-63D3-1100-00000000BD02}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=840629E773C81CD84EC614D71F943F54,SHA256=A8337FA52391185CAAD08936015D5FA9FC31BB74ACD1A00857B6E21498ED7354,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:14.113{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA009FE48F6F64105A1F7999BE56E7D,SHA256=78C19849F5F88E6C6CA549FBBE0FD0A41C7D17E63FFF9BAD0EDA6C292EFB411B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:15.765{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF6E1CA095F1161558DE78B8AD38D1C,SHA256=374865436C905A1B73AE3AF91A88FF500E47E551004331C32AA8ABC78422A8AA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:15.208{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7F7AB4D7B2FBF71ABD71BCA788854C,SHA256=580F62067F424B7CD8AB0FA0913B827FF7C11E060E2A4744A5033484A97D42BA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:12.339{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50949-false10.0.1.12-8000-
23542300x8000000000000000447278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:16.848{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523A2C1F364922AB22682DB6A0EABAF1,SHA256=D80A66E1F75412ED89F62DD589C3C4E43D8E7DCBFD73B5BAD3B1F7570FF0164B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:16.308{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05316C73290A97064E933FAF0E3978EA,SHA256=6B26D146788E9ADF5091E51515FB99643083E2F2D7153BD035D1F569583DD0E9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:16.189{45AAC21C-9B85-63D3-1000-00000000BC02}368NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BA8C7D89596A339AA67D67E2CB1BF415,SHA256=469ED0649A67B331BBE9F4B4BF64D2D38858CCC847583F3FEADB210CFD2DFE4E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:17.949{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB569AD126BB6DD0F41D21D4EDFE62EC,SHA256=9F65DBCBFEB9BADE9D458698E5665D92D589DFE3074C3890FA8C80E66E56DA06,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000320961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:17.411{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5A2ED0805531A588B1A8BF708ACA1E,SHA256=FD5B7D0D72099A1B92265F28961CD67A58DEA104FB36048B64BD3612A81D6406,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:17.840{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3B9484D057ACBFB8D7AF362B5DF0E87B,SHA256=2E6F06F6037DBD1FD1D512F42B0247A6B8F58C6845000BAF5E19B766A5CEAB1A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:14.808{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000320962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:18.491{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C1085341000224EB33D9D57416CAD1,SHA256=B1FD008E37E1561F4FBFDA258354E942213A31EBB2358EB4EA3B69A945AAEEBE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000320964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:17.442{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50950-false10.0.1.12-8000-
23542300x8000000000000000320963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:19.590{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BE8D6A2CEA15ABEAA2DAEE6C4B354E,SHA256=1518998292B159813679CEAF8B8276697B226FF0A41AFEABCA47FDBA67C901AB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.633{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.615{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.600{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.592{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.588{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.584{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.530{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.518{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.477{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.453{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.415{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.400{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.380{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.373{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.354{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.301{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.297{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
23542300x8000000000000000447282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.049{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3878639A8E98CC2F6B32791D429886,SHA256=47EF37A027C6EC1B840F86CF5991DBCA479BDEEEB889C2479C812650DC50ECED,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.796{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000321001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.782{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000321000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.774{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.722{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.698{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.664{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000320996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.661{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A54608B34B1136D4D3C1A801AE1C9CB,SHA256=D323FB75D247094027B219948066B7C5558784F38CD0AFBF82389795135FE868,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.652{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.651{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.648{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.645{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.642{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.639{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.638{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.632{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.628{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.627{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.625{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.621{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.606{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.604{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000447307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.255{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.251{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.249{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.247{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.245{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
23542300x8000000000000000447302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:20.182{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DC467684C36B58355572EB79BC1B60,SHA256=4051400FA26299160DE9360785B25E7D853EB7478E6EE7A40164AA0116C6ABB2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000320981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.586{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.583{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.572{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.553{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.550{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.533{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.466{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.453{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.444{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.429{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.409{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.389{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.375{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.367{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.349{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.342{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
10341000x8000000000000000320965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:20.333{72106695-9B85-63D3-2000-00000000BD02}20002508C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190)
23542300x8000000000000000321003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:21.719{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A319B456618F77D76BA18DF4666C9E,SHA256=FE8B421459090CC28217146C58E27418D6A44C5ED6A02C6EA2BDC6215B2B19EE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:21.276{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F80923925DC69976BE8D2184375D8F,SHA256=81FD65F016544616CECE8FE8921485661DEC03B93D9CBE59CD82CC8D9177301B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:22.817{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8BFCF5CFD56F9D70CDEE8E58520F1F,SHA256=A6803F36A977D07512986A439A49DF7928DAEE49BBA396F98B0CDD1628278555,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:19.910{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
10341000x8000000000000000447328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.945{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.920{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.916{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.897{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.883{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.860{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.853{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.845{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.835{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.833{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.827{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.823{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.822{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.819{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
23542300x8000000000000000447314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.360{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F8749CCCE17E1361939EA4946814A4,SHA256=946CB40B5C47939B22076B0E2376372B3FB73596E6500F20A0700C3FA54B6CE7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.308{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.307{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.293{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
10341000x8000000000000000447309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.286{45AAC21C-9B96-63D3-3000-00000000BC02}28483428C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013108190)
13241300x8000000000000000321011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:23.941{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data
13241300x8000000000000000321010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:23.941{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data
23542300x8000000000000000321009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.894{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAE67087557CD85432EBC57F052FA3E,SHA256=C3CC72C6113DF73D05546DFF8694FBCDC87F69F43485C93BA58C1AAE47DFF358,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:23.445{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420E644D1DC932150E427D10DF88BC42,SHA256=8FD3BA121B52CA66DDE6206D292F30319EF53BE310142D25F356B5921B881B7D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.162{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.140{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-2000-00000000BD02}2000C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.983{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11307A83E44B1BD5E00D82F2B12EFC53,SHA256=7D58D55EF0CCEEC26D99A1EBD36310C7E56E8C007695F9698686FE9CD0D0212B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:24.542{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD57658119060C5ADADD16928AF6B74,SHA256=F3967F4E949B5A3EB63D051670F8ADEFA8D083957034DD1A4EFD1F27880ACBDD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.654{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=97CC2EFD17A78DF1244BB58418C73605,SHA256=D51D05FE13134418230786CC386F0A1226F6542C7C9920FAB166CCAA9C5C5F55,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000321016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.129{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data
13241300x8000000000000000321015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.098{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data
13241300x8000000000000000321014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.098{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data
13241300x8000000000000000321013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:24.081{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXEHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data
10341000x8000000000000000321012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:24.003{72106695-9B85-63D3-1700-00000000BD02}12241696C:\Windows\System32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:25.642{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1E59DB75022F540021CD501DF08C16,SHA256=FCBD1170AA45B99DC2C74B819FBCB61B8D03593291356471355EDF13DA6D11B7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:25.754{72106695-9B85-63D3-0D00-00000000BD02}796816C:\Windows\system32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:26.740{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6BFC6BFB881ADD0F8EC65026CC5FB7,SHA256=2E531642D8E5301198F1B84955A0D466C95D5049AD9DCCE8397308FCF54FA0E8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.892{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.798{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.783{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.783{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.767{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.723{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.720{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.665{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B85-63D3-1400-00000000BD02}10321360C:\Windows\system32\svchost.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.622{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-B106-63D3-2B03-00000000BD02}9645340C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15
10341000x8000000000000000321050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.575{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000321049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.571{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap16821:48:7zEvent8084C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE
354300x8000000000000000321048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.302{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50952-false10.0.1.12-8000-
354300x8000000000000000321047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:23.258{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50951-false72.21.91.29-80http
23542300x8000000000000000321046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:26.262{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B013EE036B07620E38C49E3B7FA5843A,SHA256=B949241142DBC891C836697915491688CDB99B582B47E00910506EED5B57BBA5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:22.697{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A63942-
23542300x8000000000000000447335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:27.927{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E6333AB3CB91D25D6C58BC0BFD5B52,SHA256=642EF3389AAF7623CCEA5DF3C74228686756409E2A68111DB6481230BC46F939,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:27.710{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=128CB24D7F730223B43028B82A347674,SHA256=8BB79F7CFF78BF1DB9599B8C156CD7BFE4FF5BF7567D0E3424E8C81786E41C0E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:27.408{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A696009B8BE18634CD3D9330A21440,SHA256=0EB06B0A69C1FE29BFDFD6A22C6F15C44FBD0242BBC73BD321B9D4EDE83DA205,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.597{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.597{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.596{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
23542300x8000000000000000321083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526BD1F1BBFD2ABD7612507125FBB2DD,SHA256=A14D4F167F7202D9D0DF1AD843B3BFACDCC393F91812D81F020004DD4A97B83A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.502{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0700DDF0015A42830F3544C41CC7FE,SHA256=0CE95E26BE39137F68A0180B830D1F89BD6A1C3C90774797A3E588236C97701C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:25.720{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000321081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:28.219{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=51E865D0DA3613F801501E2FD433944A,SHA256=A1730184B1A9FEB49370A913DE4374F35F0CE67E5452A5151DA4E5EF3AAA396F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.587{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A0CC5499A89FE46193CECC3517ED28,SHA256=A4A29E4DBC2CE974B5F4CC2F6892F0D68C6B4CD997E25866917BE50E941A1915,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:29.506{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exeC:\Temp\OfficeSetup.exe2023-01-27 11:22:29.491
23542300x8000000000000000447337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:29.018{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EC38C3D2129A0F1E6CCF3AB2EDA8C2,SHA256=89436C2E48E241EAE52A13F52A093FF1278C08B61B5FF1959F863ABE1CAA9AF2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.256{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F2-63D3-A803-00000000BD02}1392C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:30.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FD04D707851DEEE55BD86BA0A7503F,SHA256=1F091B8932452E8537DD54B0FF66D595C95E8847274C01AE338D7DB4E6C009E4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:30.109{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21743D366637C0B30AC058B8FB1C307,SHA256=EE9B05C4ECB68AA49B8729F38EDA972961205456D6BFB56828B82D13926CE128,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:31.666{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41B015791A48ABE1DD8EFA0F3C223577,SHA256=B5245441EB44EB2FF8295E236FBCA51C0FEE6FFB7AAAD13778FCCB59F8AB07E4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.197{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FA0333B42568B34372169F7BAFB0EA,SHA256=7AA444A68D0F13A0A8FEDFEFC1E29FD6C5CA0F3A9B1D15BA6F049D3AFE2D524D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000321093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:29.335{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50953-false10.0.1.12-8000-
10341000x8000000000000000321125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.984{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.931{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.930{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.930{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.925{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.917{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.916{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.915{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.914{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.752{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CA20B831AF4CAA183794E3672CB8CB,SHA256=7DCB9717C2523BE7108A0F8A04FAC52E1567A6608B92720F428CBBE53157509F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.282{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A33BC2BE55BF880555DF7E5FE4AC83,SHA256=C850E46E2EC63F39298AC8C4AD4A11752F7F80D59819B9522E167E7F1A5F4074,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.659{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.659{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.487{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
13241300x8000000000000000321104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\OfficeSetup.exeBinary Data
10341000x8000000000000000321103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.237{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.206{72106695-B106-63D3-2B03-00000000BD02}9645996C:\Windows\Explorer.EXE{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+177a30|C:\Windows\System32\SHELL32.dll+177683|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000321095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.126{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe16.0.13801.20266Microsoft OfficeMicrosoft OfficeMicrosoft CorporationBootstrapper.exe"C:\Temp\OfficeSetup.exe" C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=1B649814B0DBE3798D7426035C957FBD,SHA256=6469E1E2B57624EF62F5D36DFF93DFA0A50357B38350B565F395954A69327BB3,IMPHASH=6C556F7C64982E938EFD4571794DFE48{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\explorer.exeC:\Windows\Explorer.EXE
354300x8000000000000000447342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:30.881{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:33.370{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E715FE50BBA7B0EB2C8946AB18CB6E1,SHA256=B19711BEB1DC264D3D5840203D0D5B158A1B36C05018E18AF49C0377DE9E6F86,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.580{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.408{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.408{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.377{72106695-B3F9-63D3-AB03-00000000BD02}46763540C:\Windows\system32\conhost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.222{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.205{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.174{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAE3EC59A37096E67F5339642935C2F7,SHA256=5C9E1B87DCECA08B92C4FC1956C113506545C8C33BE6FB0A402665124F25D6C0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.112{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.111{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64)
154100x8000000000000000321130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.100{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe"
10341000x8000000000000000321129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.100{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.039{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.039{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:33.038{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
354300x8000000000000000447346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.757{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A65427-
354300x8000000000000000447345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:31.757{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A51044-
23542300x8000000000000000447344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:34.483{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16341B0E43FBE1018D23730ECDD26F95,SHA256=9FE3A978A7FF07D0F5850DAAE62C51989CF9D39CBDC58C4F3E9E6903A98A2CF0,IMPHASH=00000000000000000000000000000000falsetrue
17141700x8000000000000000321168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:22:34.717{72106695-B3F9-63D3-AA03-00000000BD02}5852\PSHost.133192921531001648.5852.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
23542300x8000000000000000321167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.685{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ztfcqicw.uw4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.685{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bx42dlfi.nwp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.376{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_bx42dlfi.nwp.ps12023-01-27 11:22:34.376
10341000x8000000000000000321164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.358{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.336{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50954-false52.109.13.64-443https
354300x8000000000000000321162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.329{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50955-false52.113.194.132-443https
10341000x8000000000000000321161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.342{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.124{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.123{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.121{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.121{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.079{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.078{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000321148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.053{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B3AE72E8117EEA707F9EA04C211DBEB5,SHA256=A60B044BEE9F7A1324A1727DC2234FF7710F8DD03299D55BDF91691CD1D72BE2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.051{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E710A41F2B46CC54017AFB2DF1BEE1D9,SHA256=4824EA7CF91AB7FB94388BA04C8F2D8F3AC037EB2F56FF1AD39B8B7CFE863F68,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.013{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000447343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:34.091{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:35.559{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E8771FDA239B4F6FC2A23B651B677D,SHA256=1A815EE55160C679F82DB6EA44E6D5D1F38C1A762FCA23DFCB4609F084B89857,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.904{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52998-
354300x8000000000000000447348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.904{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58423-
354300x8000000000000000447347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:32.790{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089-
10341000x8000000000000000321189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.944{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.944{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.928{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.569{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D282A4A20EA09BE13BE38E27166E575F,SHA256=596CB8E95B3DB7CB522B00D11DD7BCEFA0A0515800D75E2FBB43EC169D98FF7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.569{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D46B912D74DE4982EA7CBBDE5B21C10,SHA256=1589C1487088E7753A67B387AA180E3FD0D519D0EA663DCE60EA5CCE57285942,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xqlgmawu.ped.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mysdrnn2.t50.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.366{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mysdrnn2.t50.ps12023-01-27 11:22:35.366
22542200x8000000000000000321176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:32.315{72106695-B3F8-63D3-A903-00000000BD02}6048ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Temp\OfficeSetup.exe
10341000x8000000000000000321175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.122{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F9-63D3-AB03-00000000BD02}4676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.082{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.082{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.010{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:35.010{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3F9-63D3-AA03-00000000BD02}5852C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:36.652{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E8C17A75E58A6AAB005AEED9D6A09A,SHA256=2FF0F80E26821EF2B1A7C280CADA845B03F32086102EF89DBFF347AF8B86396D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-B3FC-63D3-AE03-00000000BD02}48644360C:\Windows\system32\conhost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.890{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B102-63D3-1003-00000000BD02}3944400C:\Windows\system32\csrss.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64)
154100x8000000000000000321201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.884{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "C:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe"
10341000x8000000000000000321200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratchMD5=21438EF4B9AD4FC266B6129A2F60DE29,SHA256=13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.875{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratchMD5=BD3457E50947D4280734E74B51B5B68D,SHA256=23D647979BC5DC186DE5BA3E00A222A912AB8E4782EB6407EFA70E29E95979F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.844{72106695-B3F9-63D3-AA03-00000000BD02}5852WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A22FD0E6CA604141CC79B1F5A89CD869,SHA256=0915C22CB4446CE63A9023B1C884E17AB2DE5463B7F96B509CC801672B065D3B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.474{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332A0538177F7AA151CCFECEC39B9DEB,SHA256=18B2685047F0478563A9DED2373786196D8C8FA76A72F926D4C86C8CF5A8A459,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000321194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:34.364{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50956-false10.0.1.12-8000-
10341000x8000000000000000321193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.164{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:36.163{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000447352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.735{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CFBBEADA86C72C321F60DDCFEBBBF2,SHA256=5138AAFCCDA79C7E8E6CA08991BC005ADD2BCDD23FC28D3DAA201989B2944A97,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.975{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E43D463E940B342245EA9B320B58C913,SHA256=4CE77E7FB2A850FB70770736B978DD6580292F19F74E66ADA338C6025C8974F0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_d3jk545z.krc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ortcwqvg.zbi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.740{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ortcwqvg.zbi.ps12023-01-27 11:22:37.740
23542300x8000000000000000321236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.678{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.631{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE81706ED904FA828ED4290FDBFF95E3,SHA256=152044B5C3A98E6E8D57A64FFE80158623478D26DF9D42D91A65CB9F7EC8AAC0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.537{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1E9B00958766BCCA05753C1C13DBA659,SHA256=082EE7125486DFF9869C55E298979D217734657307E767923C7B0DFE08657247,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.492{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.492{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.443{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.443{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
17141700x8000000000000000321229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-CreatePipe2023-01-27 11:22:37.412{72106695-B3FC-63D3-AD03-00000000BD02}5512\PSHost.133192921568843282.5512.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
23542300x8000000000000000321228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.397{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_02pkrd0i.lg1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.397{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mmzfqxju.d4w.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.381{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mmzfqxju.d4w.ps12023-01-27 11:22:37.381
10341000x8000000000000000321225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.351{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.334{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.320{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.242{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.242{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.167{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.157{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.156{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000321211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.059{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=477DD69D48FB2E71D268AB9CEF38FE97,SHA256=7BD858AB39D95CB025AC53ADBDFDA43C2C3B1003DEE2E181D211903E1FD12F35,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:38.826{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AE6D8F00CC92520568B69DCD5A5AA2,SHA256=50BE644D3AC4F55653504131A47A4B4F5AD5F68626C11CDA3CF928FDD90F392E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.948{72106695-9B85-63D3-1500-00000000BD02}10401400C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e
23542300x8000000000000000321284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.936{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=29E550D41F9263B9115BF9CA7CF90C2E,SHA256=A6FAD30AA1B8B475A9D9A3727A2F12D4B4DDFC78E90B487CA702878693E80C8B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.934{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.932{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
734700x8000000000000000321281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.854{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid
734700x8000000000000000321280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.838{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid
10341000x8000000000000000321279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.823{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.791{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D9413CE8D61B8624B593D573AF55DE14,SHA256=96B1451FE52A1E5672964AFB6C294AC1C2B7BDDEEF6852C794B41310FC407ADE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.776{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.760{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.760{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.745{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.745{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.574{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C758659A6275AC78DF0FB4B4361513,SHA256=B67885E0DF12DB6BC8F0049F572BCAEAC8342B62AF8E361234D97A9015522FA3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.557{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.554{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.536{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.536{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\system32\services.exe+21fc|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4
10341000x8000000000000000321259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.521{72106695-9B84-63D3-0B00-00000000BD02}6284308C:\Windows\system32\lsass.exe{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
13241300x8000000000000000321256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:38.505{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITSecc3ff9c-fa8e-4199-857f-b75585ed9495
354300x8000000000000000447353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:35.934{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000321255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.346{72106695-9B88-63D3-4200-00000000BD02}2308NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=4EFFFA1A69CC68965A020830F5849EB6,SHA256=B483BF142AF92CA4090161655EEB82EBFAE5BD835896B15A5680CD0824CC2C46,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.345{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-journalMD5=1161D921BD8756FC0D09FD5A8FF30390,SHA256=51426F2AD7CD6596FD9901BA303332AAA9A3CE8B8E41D49A482CA065644ED78F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.335{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-journalMD5=D39D4B1DA933984BCD42FC8C9F39C9B0,SHA256=88E0663C2A1D43E4F65D6FA8CB51B18E421F3956F9394B8731D55A81ADFFAF94,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.190{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateResult.scratchMD5=21438EF4B9AD4FC266B6129A2F60DE29,SHA256=13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.189{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\Office.ValidateError.scratchMD5=BD3457E50947D4280734E74B51B5B68D,SHA256=23D647979BC5DC186DE5BA3E00A222A912AB8E4782EB6407EFA70E29E95979F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.186{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F439E8AC870F29B1F3199DAC8AA8C24,SHA256=FFD3D46770CB2C85FCDE2FAC4058FF6A1A23D2496F4CCE7327B7EC464F606EF9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.168{72106695-B3FC-63D3-AD03-00000000BD02}5512WIN-HOST-CTUS-A\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=4EC9C6C86A2B618E8C869B7DD272B0EE,SHA256=8DEA3B617E28770368FF4E708938FC78D8AFC9C6D79D530B4DBDE5E347D7F403,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.045{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.043{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.043{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AE03-00000000BD02}4864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.040{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FC-63D3-AD03-00000000BD02}5512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.037{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.037{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FB-63D3-AC03-00000000BD02}5616C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
23542300x8000000000000000447376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.886{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE736B63A8E7CE514BA6F19CC7D92E8,SHA256=DD05A6A8AA71803466C2B07EE713D6F1D83E3E6192D8AC4FCE472E4A48E2DBB6,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000321323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.180{72106695-9B82-63D3-0100-00000000BD02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250961-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001-
354300x8000000000000000321322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.180{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250961-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001-
354300x8000000000000000321321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.111{72106695-9B82-63D3-0100-00000000BD02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250960-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001-
354300x8000000000000000321320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.111{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-host-ctus-attack-range-21250960-true0:0:0:0:0:0:0:1win-host-ctus-attack-range-21247001-
354300x8000000000000000321319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.048{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50959-false10.0.1.12-8089-
354300x8000000000000000321318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.034{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-ctus-attack-range-21256808-
10341000x8000000000000000321317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.986{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.986{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.657{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F64870753C047B34F46942904FB00F,SHA256=6D44125926AB0DE0864E5E576685A5E8659F61AD757F7F4A0AC5FED4EA5D5039,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.579{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\BITAA40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.548{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728E8BD7CC9E64831DAD05E0C1663506,SHA256=31B93541583E60229ABF5B6F84C967D5104A4F5FCB90DB61603E507C16FD596B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.532{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761DD7037D6CFE9776F2807725AFCD35,SHA256=D229E926B5569F88F6D16DE0FD4E26CEE45AFBA4DAFE8F454576E7F4C03277E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\BITAA40.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.517{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\i640CheckReachable43DF1BC3-3BED-4CA0-A281-3F36D5D53C5AMD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d
354300x8000000000000000447375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.162{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A56804-
354300x8000000000000000447374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.078{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57619-
10341000x8000000000000000447373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.520{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.499{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.491{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.488{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.486{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.483{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.451{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.446{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.426{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.419{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.411{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.397{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.389{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.379{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.362{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.353{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.345{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.313{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:39.305{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
23542300x8000000000000000321308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.501{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000321307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.489{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000321306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.724{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50958-false23.220.246.181a23-220-246-181.deploy.static.akamaitechnologies.com80http
354300x8000000000000000321305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:37.646{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50957-false52.109.4.18-443https
23542300x8000000000000000321304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.423{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA9E1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.408{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.392{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\VersionDescriptor.xmlMD5=734094314B1AD4B9A51659C4C2B6F662,SHA256=52C2539D10DEBBA4C8DB2F9C18E7B7805BC1F9E229DF7ED209CBEE08B82AB57B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.391{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\v64_16.0.15601.20456.cabMD5=8BBD8448DC98A6B5A8852A09FAEB1C60,SHA256=FBA7F173490B588AB932C6E104FD9C59BF561E484B533FF0C3BB0550336EA443,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.376{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\v64.hashMD5=A261BD5EDAFDF1EE98823D307848AC04,SHA256=5F8C91FB1B1004A895AB67CF027306F45937D97F757A3D3ACCC31F09C9C63E24,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.241{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.240{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000321293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.130{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\BITA8A7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.107{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R85C46F03-C6D1-4ED6-81D5-020A1BA3D876\BITA8A7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.101{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.099{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\v64_16.0.15601.20456CheckReachable5D0DC3DE-8825-4157-B863-B1E706CF6A39MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d
23542300x8000000000000000321289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.088{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000321288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.075{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.026{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\BITA858.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:39.010{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000447385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.955{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F6BCFF9BDE48661C5909B00C14D38B,SHA256=02A61D1433AE3BA705445DB2526461362E51D29C9DFFB1E1FC4A8CDA88CB2133,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.971{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeC2RClient.exe2023-01-27 11:22:40.971
11241100x8000000000000000321469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.971{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcr120.dll2023-01-27 11:22:40.971
11241100x8000000000000000321468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.955{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcp140.dll2023-01-27 11:22:40.955
11241100x8000000000000000321467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.955{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msvcp120.dll2023-01-27 11:22:40.955
11241100x8000000000000000321466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.924{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\msix.dll2023-01-27 11:22:40.924
11241100x8000000000000000321465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.924{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\MavInject32.exe2023-01-27 11:22:40.924
11241100x8000000000000000321464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.893{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\manageability.dll2023-01-27 11:22:40.893
11241100x8000000000000000321463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.846{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\inventory.dll2023-01-27 11:22:40.846
23542300x8000000000000000321462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.815{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE596BEA2684543DBE5CA6C167BD5E,SHA256=A500F0519383C8279D933F01026E2DE29058886ACA4012F0CD116D781F391120,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\IntegratedOffice.exe2023-01-27 11:22:40.752
11241100x8000000000000000321460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\InspectorOfficeGadget.exe2023-01-27 11:22:40.752
11241100x8000000000000000321459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.752{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\concrt140.dll2023-01-27 11:22:40.752
354300x8000000000000000321458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.034{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-ctus-attack-range-21256808-false239.255.255.250-1900ssdp
10341000x8000000000000000321457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.752{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.752{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.650{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.644{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RUI.dll2023-01-27 11:22:40.644
10341000x8000000000000000321453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.643{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.642{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.zh-tw.dll2023-01-27 11:22:40.641
11241100x8000000000000000321451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.637{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.zh-cn.dll2023-01-27 11:22:40.636
10341000x8000000000000000321450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.635{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.630{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.vi-vn.dll2023-01-27 11:22:40.629
10341000x8000000000000000321448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.625{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.625{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.uk-ua.dll2023-01-27 11:22:40.623
10341000x8000000000000000321446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.623{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.622{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.tr-tr.dll2023-01-27 11:22:40.621
11241100x8000000000000000321444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.615{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.th-th.dll2023-01-27 11:22:40.615
11241100x8000000000000000321443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.614{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sv-se.dll2023-01-27 11:22:40.614
11241100x8000000000000000321442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.613{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sr-latn-rs.dll2023-01-27 11:22:40.613
11241100x8000000000000000321441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.612{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sl-si.dll2023-01-27 11:22:40.610
11241100x8000000000000000321440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.610{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.sk-sk.dll2023-01-27 11:22:40.610
11241100x8000000000000000321439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.609{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ru-ru.dll2023-01-27 11:22:40.609
11241100x8000000000000000321438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.608{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ro-ro.dll2023-01-27 11:22:40.608
11241100x8000000000000000321437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.608{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pt-pt.dll2023-01-27 11:22:40.608
11241100x8000000000000000321436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.607{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pt-br.dll2023-01-27 11:22:40.607
11241100x8000000000000000321435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.606{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.pl-pl.dll2023-01-27 11:22:40.606
11241100x8000000000000000321434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.606{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.nl-nl.dll2023-01-27 11:22:40.605
11241100x8000000000000000321433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.605{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.nb-no.dll2023-01-27 11:22:40.604
11241100x8000000000000000321432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.604{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ms-my.dll2023-01-27 11:22:40.600
11241100x8000000000000000321431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.599{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.lv-lv.dll2023-01-27 11:22:40.599
11241100x8000000000000000321430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.599{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.lt-lt.dll2023-01-27 11:22:40.599
11241100x8000000000000000321429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.598{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ko-kr.dll2023-01-27 11:22:40.598
11241100x8000000000000000321428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.597{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.kk-kz.dll2023-01-27 11:22:40.597
11241100x8000000000000000321427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.596{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ja-jp.dll2023-01-27 11:22:40.596
11241100x8000000000000000321426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.595{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.it-it.dll2023-01-27 11:22:40.595
11241100x8000000000000000321425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.594{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.id-id.dll2023-01-27 11:22:40.594
11241100x8000000000000000321424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.593{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hu-hu.dll2023-01-27 11:22:40.593
11241100x8000000000000000321423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.592{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hr-hr.dll2023-01-27 11:22:40.592
11241100x8000000000000000321422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.592{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.hi-in.dll2023-01-27 11:22:40.591
11241100x8000000000000000321421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.589{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.he-il.dll2023-01-27 11:22:40.589
11241100x8000000000000000321420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.584{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fr-fr.dll2023-01-27 11:22:40.584
11241100x8000000000000000321419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.584{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fr-ca.dll2023-01-27 11:22:40.583
11241100x8000000000000000321418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.583{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.fi-fi.dll2023-01-27 11:22:40.583
11241100x8000000000000000321417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.582{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.et-ee.dll2023-01-27 11:22:40.582
11241100x8000000000000000321416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.582{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.es-mx.dll2023-01-27 11:22:40.581
11241100x8000000000000000321415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.581{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.es-es.dll2023-01-27 11:22:40.581
11241100x8000000000000000321414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.580{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.en-us.dll2023-01-27 11:22:40.579
11241100x8000000000000000321413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.578{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.en-gb.dll2023-01-27 11:22:40.578
10341000x8000000000000000321412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.578{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.577{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.el-gr.dll2023-01-27 11:22:40.577
11241100x8000000000000000321410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.577{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.de-de.dll2023-01-27 11:22:40.577
11241100x8000000000000000321409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.576{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.da-dk.dll2023-01-27 11:22:40.576
11241100x8000000000000000321408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.575{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.cs-cz.dll2023-01-27 11:22:40.575
11241100x8000000000000000321407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.575{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.bg-bg.dll2023-01-27 11:22:40.575
11241100x8000000000000000321406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.574{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2RINTL.ar-sa.dll2023-01-27 11:22:40.573
11241100x8000000000000000321405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.569{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\c2r64werhandler.dll2023-01-27 11:22:40.569
10341000x8000000000000000321404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.567{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.550{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2R64.dll2023-01-27 11:22:40.550
11241100x8000000000000000321402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.548{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\c2r32werhandler.dll2023-01-27 11:22:40.547
10341000x8000000000000000321401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.547{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.535{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
354300x8000000000000000447384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52336-
354300x8000000000000000447383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57086-
354300x8000000000000000447382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:37.940{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58701-
10341000x8000000000000000447381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.118{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.113{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.110{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.108{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:40.106{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000321399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.531{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.531{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\C2R32.dll2023-01-27 11:22:40.531
11241100x8000000000000000321397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.528{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVShNotify.exe2023-01-27 11:22:40.528
10341000x8000000000000000321396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.527{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.526{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.524{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVScripting.dll2023-01-27 11:22:40.524
10341000x8000000000000000321393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.523{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.516{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.516{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.515{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVPolicy.dll2023-01-27 11:22:40.514
10341000x8000000000000000321389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.514{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.513{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.512{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.510{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.508{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.507{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVOrchestration.dll2023-01-27 11:22:40.507
10341000x8000000000000000321383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.501{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.500{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVManifest.dll2023-01-27 11:22:40.500
10341000x8000000000000000321381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.497{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.495{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvVirtualization.dll2023-01-27 11:22:40.494
11241100x8000000000000000321379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.492{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvSubsystems64_msix.dll2023-01-27 11:22:40.490
354300x8000000000000000321378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:38.325{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50962-false23.220.246.181a23-220-246-181.deploy.static.akamaitechnologies.com80http
10341000x8000000000000000321377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.482{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.475{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.473{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems64_arm64x.dll2023-01-27 11:22:40.473
10341000x8000000000000000321374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.458{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.456{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems64.dll2023-01-27 11:22:40.456
11241100x8000000000000000321372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.454{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems32_msix.dll2023-01-27 11:22:40.454
10341000x8000000000000000321371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.442{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.442{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppvIsvSubsystems32.dll2023-01-27 11:22:40.437
10341000x8000000000000000321369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.437{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.426{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.423{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvSubsystemController.dll2023-01-27 11:22:40.422
11241100x8000000000000000321366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.419{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvStreamingManager.dll2023-01-27 11:22:40.419
11241100x8000000000000000321365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.414{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIsvApi.dll2023-01-27 11:22:40.414
11241100x8000000000000000321364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.401{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVIntegration.dll2023-01-27 11:22:40.401
11241100x8000000000000000321363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.398{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVFileSystemMetadata.dll2023-01-27 11:22:40.397
10341000x8000000000000000321362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.391{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.385{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:40.384{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\appvcleaner.exe2023-01-27 11:22:40.384
11241100x8000000000000000321359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.379{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\AppVCatalog.dll2023-01-27 11:22:40.379
10341000x8000000000000000321358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.376{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.375{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\ApiClient.dll2023-01-27 11:22:40.375
11241100x8000000000000000321356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:40.374
11241100x8000000000000000321355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:40.374
11241100x8000000000000000321354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.374{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:40.374
11241100x8000000000000000321353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.373{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:40.373
11241100x8000000000000000321352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:40.372
11241100x8000000000000000321351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:40.371
11241100x8000000000000000321350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.371{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:40.370
11241100x8000000000000000321349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.370{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:40.370
10341000x8000000000000000321348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.369{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
11241100x8000000000000000321347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.369{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:40.369
11241100x8000000000000000321346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.369{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:40.369
11241100x8000000000000000321345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:40.368
11241100x8000000000000000321344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:40.368
11241100x8000000000000000321343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.368{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:40.367
11241100x8000000000000000321342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.367{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:40.367
11241100x8000000000000000321341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.367{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:40.366
11241100x8000000000000000321340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.366{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:40.366
11241100x8000000000000000321339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.366{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:40.366
11241100x8000000000000000321338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:40.365
11241100x8000000000000000321337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:40.365
11241100x8000000000000000321336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.365{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:40.364
11241100x8000000000000000321335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.364{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:40.363
11241100x8000000000000000321334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:40.363{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:40.362
10341000x8000000000000000321333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.358{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.352{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.345{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.336{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.328{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.320{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.315{72106695-9B85-63D3-2000-00000000BD02}20002228C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013084190)
10341000x8000000000000000321326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.186{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.183{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.183{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
23542300x8000000000000000321483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:41.939{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EAB55D8E3DA01287B780600A283F42,SHA256=DEE59B851684B8B128ADFFF2A1A94BA62A4D269ACDB7311845F9CD2D3C935CD8,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vcruntime140_1.dll2023-01-27 11:22:41.502
11241100x8000000000000000321481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vcruntime140.dll2023-01-27 11:22:41.502
11241100x8000000000000000321480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.502{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\vccorlib140.dll2023-01-27 11:22:41.486
11241100x8000000000000000321479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.486{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\ucrtbase.dll2023-01-27 11:22:41.486
11241100x8000000000000000321478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.440{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\StreamServer.dll2023-01-27 11:22:41.440
11241100x8000000000000000321477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.372{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\RepoMan.dll2023-01-27 11:22:41.371
11241100x8000000000000000321476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.352{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\policy.dll2023-01-27 11:22:41.352
11241100x8000000000000000321475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.351{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\offreg.dll2023-01-27 11:22:41.351
11241100x8000000000000000321474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:41.317{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\officesvcmgr.exe2023-01-27 11:22:41.317
11241100x8000000000000000321473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.311{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\officeinventory.dll2023-01-27 11:22:41.311
11241100x8000000000000000321472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:41.202{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeClickToRun.exe2023-01-27 11:22:41.202
11241100x8000000000000000321471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:41.183{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exeC:\Program Files\Common Files\microsoft shared\ClickToRunOfficeC2RE724C1CF-BB68-45C2-94B1-28CEC549AE7B\OfficeC2RCom.dll2023-01-27 11:22:41.183
23542300x8000000000000000321518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.966{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\nettun.PNFMD5=BD6709D5BF215E2CF91048A8CCDEBB3D,SHA256=C32982286CA7ACA0C46BEEA357EB862D310C77533A196F711D3B5974AC12EDFC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.916{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFMD5=861603879DD967E87280D332BBF7A1F3,SHA256=A4CFD010F2557CEFF643A89E8A6102E58A0380C14A6DBE6C23C372BF10E4C466,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.885{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem19.PNFMD5=DEB3EA3582187AC09FB17F4BFCDD1B29,SHA256=24B1DC69E5098CA0208FE82F3933595AA54D7B606E7F1313B4DDD8783C1C093F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.870{72106695-9B84-63D3-0A00-00000000BD02}620NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\disk.PNFMD5=20030ACEE21A871B3AA9005F2FD441BF,SHA256=97557E28164DEA0AA2F30EE0A3C6C87A16445948CDABFD12814D979CD10EF76F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+2ccc05|C:\Windows\System32\SHELL32.dll+204fb5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+2ccbcf|C:\Windows\System32\SHELL32.dll+204fb5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+2ccb55|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+2ccb42|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.823{72106695-B402-63D3-B003-00000000BD02}37803272C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+2ccb42|C:\Windows\System32\SHELL32.dll+204f88|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19cf94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19db4e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll+19c32f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e
10341000x8000000000000000321502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca
10341000x8000000000000000321501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.807{72106695-B106-63D3-2B03-00000000BD02}9644604C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+5cf54|C:\Windows\Explorer.EXE+5c591|C:\Windows\Explorer.EXE+5a3f3|C:\Windows\Explorer.EXE+5968c|C:\Windows\Explorer.EXE+56c33|C:\Windows\Explorer.EXE+4bb4d|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+28e4e|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8032ED142A8)|UNKNOWN(FFFFFD9D5A4DE5FF)|UNKNOWN(FFFFFD9D5A483BA2)|UNKNOWN(FFFFFD9D5A47E1A1)|UNKNOWN(FFFFFD9D5A47FB6A)|UNKNOWN(FFFFFD9D5A47DE26)|UNKNOWN(FFFFF8032E988C03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e
10341000x8000000000000000321500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.698{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.651{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.651{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.588{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.573{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.557{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:40.334{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50963-false10.0.1.12-8000-
10341000x8000000000000000321493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.511{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-B102-63D3-1003-00000000BD02}39441080C:\Windows\system32\csrss.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.371{72106695-B3F8-63D3-A903-00000000BD02}60485684C:\Temp\OfficeSetup.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Temp\OfficeSetup.exe+162225|C:\Temp\OfficeSetup.exe+162311|C:\Temp\OfficeSetup.exe+162ac2|C:\Temp\OfficeSetup.exe+13640|C:\Temp\OfficeSetup.exe+1324c|C:\Temp\OfficeSetup.exe+137e5|C:\Temp\OfficeSetup.exe+339a1|C:\Temp\OfficeSetup.exe+27f2a|C:\Temp\OfficeSetup.exe+2a554|C:\Temp\OfficeSetup.exe+2a519|C:\Temp\OfficeSetup.exe+2a5f0
154100x8000000000000000321486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.272{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe16.0.15601.20446Microsoft Office Click-to-Run (SxS)Microsoft OfficeMicrosoft CorporationOfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 baseurl.16=http://officecdn.microsoft.com/pr/7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 version.16=16.0.15601.20456 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=7ffbc6bf-bc32-4f92-8982-f9dd17fd3114 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknownC:\Temp\WIN-HOST-CTUS-A\Administrator{72106695-B105-63D3-6E44-240000000000}0x24446e2HighMD5=B354D28EB4C8B414AFFC2904352FD859,SHA256=6D1197B8425CE42A482AA3799351E4B6C24C83804F40B7202B69A06ED588269D,IMPHASH=4FA4A7FB515E6A9EBA3594732D26ECF7{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe"C:\Temp\OfficeSetup.exe"
10341000x8000000000000000321485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.271{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.223{72106695-B3F8-63D3-A903-00000000BD02}6048WIN-HOST-CTUS-A\AdministratorC:\Temp\OfficeSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\OfficeC2R5BD0D6D6-30E2-41A3-924A-B80F653C92A7\i640.cabMD5=F1A87BD364E5E9ED021790138E395827,SHA256=44D2EAF5B814526EA283DAAD5333D87170CC71F63AE008BDF03B57CDAA880F13,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.774{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-A6A6-63D3-2C02-00000000BC02}2236C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.757{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C98-63D3-C300-00000000BC02}5900C:\Users\Administrator\Downloads\dnSpy-net-win32\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.753{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9C12-63D3-AC00-00000000BC02}5808C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.747{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BF0-63D3-9C00-00000000BC02}660C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.738{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEF-63D3-9B00-00000000BC02}5064C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.713{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEE-63D3-9A00-00000000BC02}4776C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.708{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-9200-00000000BC02}4292C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.696{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BED-63D3-8F00-00000000BC02}4216C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.690{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEC-63D3-8C00-00000000BC02}3312C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.688{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BEB-63D3-8A00-00000000BC02}704C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.685{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.683{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.682{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4500-00000000BC02}3596C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.680{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B99-63D3-4400-00000000BC02}3544C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.364{45AAC21C-9B83-63D3-0B00-00000000BC02}632796C:\Windows\system32\lsass.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.349{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-3000-00000000BC02}2848C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3D00-00000000BC02}3320C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.166{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B98-63D3-3600-00000000BC02}3136C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.164{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B97-63D3-3100-00000000BC02}3024C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.155{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
10341000x8000000000000000447387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.148{45AAC21C-9B96-63D3-3000-00000000BC02}28483424C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2E00-00000000BC02}2804C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C803D0)
23542300x8000000000000000447386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.054{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CECBF777CAC87D775C0CC0775A4ABA,SHA256=176F6AC5695E7110B28DBDA3716D482F6790743749EF49994DB1E2CD4C03B505,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\BITBBB8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\s640CheckReachableFE4A2A8C-B82B-47E3-9D92-8C10965DA207MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d
23542300x8000000000000000321569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.986{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000321568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.970{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.923{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBB79.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.923{72106695-9B85-63D3-1400-00000000BD02}10322256C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.876{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\s641033.cabMD5=78438A5023EDFD496D311B2352D9A8D5,SHA256=9B4DB69F1588766EBA3DD44CD34F40A92B31FD42772FB640FED34214F9C54EBE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.830{72106695-9B85-63D3-1700-00000000BD02}12241448C:\Windows\System32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.658{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\BITBA3F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.611{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R1E05752F-31EC-4263-AFE0-9DD22FEE9EF6\BITBA3F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\s641033CheckReachableDBF76697-148E-4FB8-A8B3-8ADAE12C4D88MD5=69691C7BDCC3CE6D5D8A1361F22D04AC,SHA256=08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x4d
23542300x8000000000000000321559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.596{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000321558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.587{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.575{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.574{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
23542300x8000000000000000321551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.542{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\BITBA00.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.538{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.531{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB80BC9A3DCCD43A6608C763FCAEAA6,SHA256=72B9E04BEB588EF1CFEA03D61BABF2A959E4E3B75C79B7D4497EE5868381E2B1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.424{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
11241100x8000000000000000321545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:43.301{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe2023-01-27 11:22:43.301
11241100x8000000000000000321544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:43.295{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe2023-01-27 11:22:43.295
10341000x8000000000000000321543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.113{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.112{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.105{72106695-9B84-63D3-0A00-00000000BD02}6202516C:\Windows\system32\services.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.104{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.104{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.077{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.073{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.028{72106695-9B84-63D3-0A00-00000000BD02}6203860C:\Windows\system32\services.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000321528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:43.030{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe16.0.15601.20446Microsoft Office Click-to-Run (SxS)Microsoft OfficeMicrosoft CorporationOfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=B354D28EB4C8B414AFFC2904352FD859,SHA256=6D1197B8425CE42A482AA3799351E4B6C24C83804F40B7202B69A06ED588269D,IMPHASH=4FA4A7FB515E6A9EBA3594732D26ECF7{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe
13241300x8000000000000000321527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\Security\SecurityBinary Data
13241300x8000000000000000321526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\FailureActionsBinary Data
13241300x8000000000000000321525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.027{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\Description‪Manages resource coordination, background streaming, and system integration of Microsoft Office products and their related updates. This service is required to run during the use of any Microsoft Office program, during initial streaming installation and all subsequent updates.‬
13241300x8000000000000000321524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ObjectNameLocalSystem
13241300x8000000000000000321523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\DisplayNameMicrosoft Office Click-to-Run Service
13241300x8000000000000000321522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ImagePath"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
13241300x8000000000000000321521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\ErrorControlDWORD (0x00000001)
13241300x8000000000000000321520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212T1031,T1050SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\StartDWORD (0x00000002)
13241300x8000000000000000321519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-SetValue2023-01-27 11:22:43.024{72106695-9B84-63D3-0A00-00000000BD02}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\ClickToRunSvc\TypeDWORD (0x00000010)
23542300x8000000000000000447410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:43.214{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73351737D444ECB63323C5629CF838A5,SHA256=0FE9D09991A199906FD3F71B1651FD9B8ED53778975137CF8F04F2BD864C790B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:42.208{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54704-
354300x8000000000000000447413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:41.794{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
354300x8000000000000000447412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:41.427{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A61197-
23542300x8000000000000000447411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:44.292{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDC74D24C668FE4D5DAC34FAD45E5D9,SHA256=4F7939D05484817CE94F5A74A830153A42ECC0B4358D8A8869BB108CCC6CE034,IMPHASH=00000000000000000000000000000000falsetrue
22542200x8000000000000000321599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.830{72106695-9B85-63D3-1400-00000000BD02}1032f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Windows\System32\svchost.exe
22542200x8000000000000000321598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.766{72106695-B403-63D3-B103-00000000BD02}6092f.c2r.ts.cdn.office.net0type: 5 office-fg-geo.trafficmanager.net;type: 5 c2r.a-0020.a-msedge.net;type: 5 a-0020.a-msedge.net;::ffff:204.79.197.223;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
10341000x8000000000000000321597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
22542200x8000000000000000321596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.694{72106695-B403-63D3-B103-00000000BD02}6092ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
10341000x8000000000000000321595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
22542200x8000000000000000321594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.219{72106695-B402-63D3-B003-00000000BD02}3780ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
10341000x8000000000000000321593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.730{72106695-9B85-63D3-1D00-00000000BD02}19122652C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1B3E31E15B37AC4D87868976E1137A,SHA256=4120E77B9026A483CC8CE1B1DEFEC66F9895D7590C1DAF93FA951ACEE6CAFE8A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000321591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.226{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50966-false52.113.194.132-443https
10341000x8000000000000000321590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.224{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50965-false52.109.13.64-443https
10341000x8000000000000000321587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.067{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50964-false52.109.4.32-443https
23542300x8000000000000000321584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6D861F46A792E7004F2F0E59BD6B9B97,SHA256=38827ED65DCA9CB9D326BFDE3EF3DA44CE958BEBDA209B65D0906386856A2A84,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.589{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.326{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.325{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.247{72106695-9B84-63D3-0B00-00000000BD02}6283660C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.243{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\s640.cabMD5=42E186BC65953299C519806BD975C487,SHA256=54D3C789E3B1D6895623F7D5EB331F6655833E95F4D5B7BDB6DB15CA20913253,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:44.048{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Temp\OfficeC2R87976ADD-6B8F-4063-984D-09533066B623\BITBBB8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.987{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.988{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:45.392{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C661814CD84CE14F77F968C32159C9,SHA256=05A68394463A134F47F457E74216C0EE6F4622380C818975AE9963AB2C814591,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.955{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.955{72106695-9B85-63D3-1400-00000000BD02}10321120C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.861{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.846{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.815{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.799{72106695-9B85-63D3-1200-00000000BD02}10006076C:\Windows\System32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
13241300x8000000000000000321618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212InvDBSetValue2023-01-27 11:22:45.799{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exeHKU\S-1-5-21-2226226129-4232087961-3617130143-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeBinary Data
10341000x8000000000000000321617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-9B85-63D3-1200-00000000BD02}1000496C:\Windows\System32\svchost.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-B102-63D3-1003-00000000BD02}39442856C:\Windows\system32\csrss.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000321614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.783{72106695-B106-63D3-2B03-00000000BD02}9644716C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\SHELL32.dll+599af|C:\Windows\System32\SHELL32.dll+5983c|C:\Windows\System32\SHELL32.dll+e308e|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.836{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50971-false204.79.197.223-80http
354300x8000000000000000321612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.772{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50970-false204.79.197.223-80http
10341000x8000000000000000321611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.701{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50969-false52.113.194.132-443https
10341000x8000000000000000321608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.701{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50968-false52.109.13.64-443https
10341000x8000000000000000321605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000321603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:42.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50967-false52.109.4.32-443https
10341000x8000000000000000321602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.627{72106695-9B85-63D3-1D00-00000000BD02}19122640C:\Windows\sysmon64.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.217{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDC2EBEACB7E63CFF92B2BD6FE0AE66,SHA256=25AA34A6CFD92C814631D8499C98D04CAAB0A5676DD9A3CE0185D706B073442C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000447438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:44.100{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A55535-
10341000x8000000000000000447437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.512{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.514{45AAC21C-B406-63D3-BD03-00000000BC02}4872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.481{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BE29BAE8C31ACD8082EED34BBBA97F,SHA256=03C137378632EB612A9AD2FFF5D6EA31F3DACFC9664B1180D0E94024AB1E855C,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.986{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CERTINTL.DLL2023-01-27 11:22:46.984
11241100x8000000000000000321717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BHOINTL.DLL2023-01-27 11:22:46.984
11241100x8000000000000000321716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.982{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\BCSRuntimeRes.dll2023-01-27 11:22:46.981
11241100x8000000000000000321715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACWIZRC.DLL2023-01-27 11:22:46.981
11241100x8000000000000000321714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ACCOLKI.DLL2023-01-27 11:22:46.981
11241100x8000000000000000321713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.980{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLL2023-01-27 11:22:46.980
11241100x8000000000000000321712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.936{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL2023-01-27 11:22:46.936
11241100x8000000000000000321711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.874{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140.dll2023-01-27 11:22:46.871
11241100x8000000000000000321710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.871{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib140.dll2023-01-27 11:22:46.870
11241100x8000000000000000321709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.869{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL2023-01-27 11:22:46.869
10341000x8000000000000000321708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.858{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.857{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
11241100x8000000000000000321705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.842{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCRTBASE.DLL2023-01-27 11:22:46.841
11241100x8000000000000000321704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.840
11241100x8000000000000000321703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.840
11241100x8000000000000000321702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.840{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\C2R64.dll2023-01-27 11:22:46.839
11241100x8000000000000000321701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.838{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.837
11241100x8000000000000000321700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.837{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppvIsvSubsystems64.dll2023-01-27 11:22:46.837
11241100x8000000000000000321699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.837{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:46.836
11241100x8000000000000000321698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.835{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:46.834
11241100x8000000000000000321697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.832{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:46.832
11241100x8000000000000000321696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:46.826{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PerfBoost.exe2023-01-27 11:22:46.826
11241100x8000000000000000321695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.825{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp140.dll2023-01-27 11:22:46.825
11241100x8000000000000000321694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.822{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:46.821
11241100x8000000000000000321693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.821{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:46.819
11241100x8000000000000000321692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.818{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\concrt140.dll2023-01-27 11:22:46.818
11241100x8000000000000000321691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.817{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:46.817
11241100x8000000000000000321690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.816{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:46.816
11241100x8000000000000000321689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.815{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:46.814
11241100x8000000000000000321688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:46.812
11241100x8000000000000000321687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.812{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:46.808
11241100x8000000000000000321686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:46.804
11241100x8000000000000000321685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:46.804
11241100x8000000000000000321684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.810{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:46.804
11241100x8000000000000000321683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.805{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:46.802
11241100x8000000000000000321682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:46.798
11241100x8000000000000000321681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.798{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:46.798
11241100x8000000000000000321680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.798{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:46.797
11241100x8000000000000000321679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.797{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:46.796
11241100x8000000000000000321678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.794{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:46.794
11241100x8000000000000000321677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.794{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:46.794
11241100x8000000000000000321676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.793{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:46.790
11241100x8000000000000000321675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.783{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:46.775
11241100x8000000000000000321674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:46.761{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:46.761
10341000x8000000000000000321673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.621{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.621{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.620{72106695-B106-63D3-2B03-00000000BD02}9644132C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.620{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.619{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.619{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.618{72106695-B106-63D3-2B03-00000000BD02}9644808C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.591{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.590{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.589{72106695-9B85-63D3-1500-00000000BD02}10401540C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.564{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC5AF.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.535{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC5AF.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.528{72106695-9B85-63D3-1400-00000000BD02}10324048C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.524{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\stream.x64.x-noneCheckReachableF182A2F5-A996-40D4-8BC2-05DAE1A41CEEMD5=9DD4E461268C8034F5C8564E155C67A6,SHA256=2D711642B726B04401627CA9FBAC32F5C8530FB1903CC4DB02258717921A4881,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x78
23542300x8000000000000000321659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.514{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000321658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.496{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.473{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.472{72106695-B105-63D3-2303-00000000BD02}39524080C:\Windows\system32\taskhostw.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.471{72106695-B106-63D3-2B03-00000000BD02}9644784C:\Windows\Explorer.EXE{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.445{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC550.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.441{72106695-9B85-63D3-1400-00000000BD02}10323512C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
10341000x8000000000000000321649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.426{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.360{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4E2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.353{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A6CF53BF62162EA6393D4E3519B088C,SHA256=F2E077849722F6E998A4BC7E365FBE3F43F494FD60C39D2F06051EDBD225EB5B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.334{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4E2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.330{72106695-9B85-63D3-1400-00000000BD02}10323972C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
23542300x8000000000000000321644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.328{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\stream.x64.en-usCheckReachable246A6C06-B9D3-425B-8436-4EC6C85B9AC8MD5=9DD4E461268C8034F5C8564E155C67A6,SHA256=2D711642B726B04401627CA9FBAC32F5C8530FB1903CC4DB02258717921A4881,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x78
23542300x8000000000000000321643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.317{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00
23542300x8000000000000000321642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.305{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF25277277A604CA09DB8A95802A96A,SHA256=579974F01D034177F15A986F7C20ED68291F0D9EB3D684EF2DC7FD05BF081FCC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.300{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.273{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.273{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000321638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.271{72106695-9B85-63D3-1400-00000000BD02}1032NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\ClickToRun\ProductReleases\549B28D0-2AAB-4007-AF73-46E58ABB894E\BITC4A3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.267{72106695-9B85-63D3-1400-00000000BD02}10321432C:\Windows\system32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b
10341000x8000000000000000321636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.253{72106695-9B85-63D3-2000-00000000BD02}20001968C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190)
10341000x8000000000000000321633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.235{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.149{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C8875B158745A54AE8A966AA8C66F2E1,SHA256=B30D38FECCF18ED578A83787A1EE5643952C58EF69F4335B74D1B7A7074C3A75,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.031{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B405-63D3-BC03-00000000BC02}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
354300x8000000000000000447424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:43.074{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A58959-
23542300x8000000000000000321632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.172{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=29D669D106A5C4ED725D85834094DC71,SHA256=1B04D120EA6CAB2F04F33C158B07386F5C77EE060C482D7C2B0C59E247373DC7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.157{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000321630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:46.157{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.566{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720D7C875A2CC47EEAFDCCFE8D26A91A,SHA256=169326E5A351D0C925612F840E1FB75DE76D7F0ABB02E6C9B0D414B9175D97DE,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe2023-01-27 11:22:47.991
11241100x8000000000000000321780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe2023-01-27 11:22:47.976
11241100x8000000000000000321779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe2023-01-27 11:22:47.976
11241100x8000000000000000321778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe2023-01-27 11:22:47.944
11241100x8000000000000000321777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe2023-01-27 11:22:47.944
11241100x8000000000000000321776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ocapires.dll2023-01-27 11:22:47.944
11241100x8000000000000000321775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotelemetryintl.dll2023-01-27 11:22:47.929
11241100x8000000000000000321774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\msotdintl.dll2023-01-27 11:22:47.929
11241100x8000000000000000321773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\lyncDesktopResources.dll2023-01-27 11:22:47.929
11241100x8000000000000000321772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLSLICER.DLL2023-01-27 11:22:47.929
11241100x8000000000000000321771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLLEX.DLL2023-01-27 11:22:47.929
11241100x8000000000000000321770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLINTL32.DLL2023-01-27 11:22:47.929
11241100x8000000000000000321769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.929{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe2023-01-27 11:22:47.929
11241100x8000000000000000321768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.913{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe2023-01-27 11:22:47.913
11241100x8000000000000000321767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WWINTL.DLL2023-01-27 11:22:47.898
11241100x8000000000000000321766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe2023-01-27 11:22:47.898
11241100x8000000000000000321765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\VVIEWRES.DLL2023-01-27 11:22:47.898
11241100x8000000000000000321764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe2023-01-27 11:22:47.898
11241100x8000000000000000321763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe2023-01-27 11:22:47.898
11241100x8000000000000000321762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe2023-01-27 11:22:47.898
11241100x8000000000000000321761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UmOutlookStrings.dll2023-01-27 11:22:47.898
11241100x8000000000000000321760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UccApiRes.dll2023-01-27 11:22:47.882
11241100x8000000000000000321759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\UcAddinRes.dll2023-01-27 11:22:47.882
11241100x8000000000000000321758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.882{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe2023-01-27 11:22:47.882
11241100x8000000000000000321757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\oregres.dll2023-01-27 11:22:47.866
11241100x8000000000000000321756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLISTI.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SOCIALCONNECTORRES.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SLINTL.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\QRYINT32.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUBWZINT.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PUB6INTL.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTOCOLHANDLERINTL.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PPINTL.DLL2023-01-27 11:22:47.866
11241100x8000000000000000321748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.866{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcPubRes.dll2023-01-27 11:22:47.866
11241100x8000000000000000321747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OcHelperResource.dll2023-01-27 11:22:47.851
11241100x8000000000000000321746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLWVW.DLL2023-01-27 11:22:47.851
11241100x8000000000000000321745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OUTLLIBR.DLL2023-01-27 11:22:47.851
11241100x8000000000000000321744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.851{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCINTL.DLL2023-01-27 11:22:47.851
11241100x8000000000000000321743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.835{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll2023-01-27 11:22:47.835
354300x8000000000000000321742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.741{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50974-false204.79.197.223-80http
354300x8000000000000000321741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.718{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50973-false52.109.13.64-443https
23542300x8000000000000000321740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.609{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122a.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000321739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:45.504{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50972-false10.0.1.12-8000-
23542300x8000000000000000321738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.404{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9E70D3961748F4ABB6CF9F2DBC30DE,SHA256=2CC81AEBF3490DC0903B8DD70600B167A5830AC761A4F9BF9721394130ED9F2C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.401{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D22061A5E61CA2DE1B9723E6A23EFB,SHA256=4A578A22EC702A064CC2DC4CFD195CAD2ECFD99A43143C3605381B6E22B3DA0F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000321736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000321734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:47.355{72106695-9B85-63D3-2000-00000000BD02}20002908C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000130843D0)
10341000x8000000000000000447451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.207{45AAC21C-B407-63D3-BE03-00000000BC02}42482108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.101{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
23542300x8000000000000000447447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.031{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB704D141CB890F4A1BD1C28A3466F6,SHA256=D789AD4DFA5DE5ED5D562BBC49448FD84B13BB346B15191764A1DFEE1D3BE121,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.012{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.013{45AAC21C-B407-63D3-BE03-00000000BC02}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x8000000000000000321733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMSINTL.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ONINTL.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OMICAUTINTL.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSSRINTL.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSAIN.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MOR6INT.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPISHELLR.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MAPIR.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\IFDPINTL.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRLEX.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\GRINTL32.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EntityPickerIntl.dll2023-01-27 11:22:47.056
11241100x8000000000000000321721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\EXPTOOWS.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ENVELOPR.DLL2023-01-27 11:22:47.056
11241100x8000000000000000321719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:47.056{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\CLVWINTL.DLL2023-01-27 11:22:46.994
23542300x8000000000000000447454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:48.759{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C42F23D3B6DDF63EF2DF6D579B755B,SHA256=A077CC3456C45EC9BBEBADBB9404B68A069C3ACC0FFCB8751316E58AEF023DEA,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.PasswordManager.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20ENU.DLL2023-01-27 11:22:48.955
11241100x8000000000000000321957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelServices.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.ExcelAddin.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetIQ.Diagram.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ClientConfiguration.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.AuditItems.Resources.dll2023-01-27 11:22:48.955
11241100x8000000000000000321950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.955{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\NATIVESHIM.RESOURCES.DLL2023-01-27 11:22:48.955
11241100x8000000000000000321949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUPLD.INTL.DLL2023-01-27 11:22:48.940
11241100x8000000000000000321948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VVIEWRES.DLL2023-01-27 11:22:48.940
11241100x8000000000000000321947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OcHelperResource.dll2023-01-27 11:22:48.940
11241100x8000000000000000321946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OCLTINT.DLL2023-01-27 11:22:48.940
11241100x8000000000000000321945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\MAPISHELLR.DLL2023-01-27 11:22:48.940
11241100x8000000000000000321944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.924{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\GrooveIntlResource.dll2023-01-27 11:22:48.924
11241100x8000000000000000321943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.902{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\BHOINTL.DLL2023-01-27 11:22:48.901
11241100x8000000000000000321942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.897{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\PortalConnect.dll2023-01-27 11:22:48.897
11241100x8000000000000000321941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.897{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\msointl30.dll2023-01-27 11:22:48.896
11241100x8000000000000000321940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.892{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL2023-01-27 11:22:48.892
11241100x8000000000000000321939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.890{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL2023-01-27 11:22:48.890
11241100x8000000000000000321938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.889{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL2023-01-27 11:22:48.888
11241100x8000000000000000321937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.886{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL2023-01-27 11:22:48.886
11241100x8000000000000000321936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.886{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL2023-01-27 11:22:48.885
11241100x8000000000000000321935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.875{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FSTOCK.DLL2023-01-27 11:22:48.873
11241100x8000000000000000321934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL2023-01-27 11:22:48.872
11241100x8000000000000000321933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL2023-01-27 11:22:48.871
11241100x8000000000000000321932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.871{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL2023-01-27 11:22:48.871
11241100x8000000000000000321931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.859{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll2023-01-27 11:22:48.859
11241100x8000000000000000321930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\msointl30.dll2023-01-27 11:22:48.641
11241100x8000000000000000321929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL2023-01-27 11:22:48.641
11241100x8000000000000000321928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL2023-01-27 11:22:48.641
11241100x8000000000000000321927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.641{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEWSTR.DLL2023-01-27 11:22:48.641
11241100x8000000000000000321926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEODBCI.DLL2023-01-27 11:22:48.625
11241100x8000000000000000321925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ACEINTL.DLL2023-01-27 11:22:48.625
11241100x8000000000000000321924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Templates\1033\GettingStarted16\SLINTL.DLL2023-01-27 11:22:48.625
11241100x8000000000000000321923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7fr.dll2023-01-27 11:22:48.625
11241100x8000000000000000321922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.621{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7es.dll2023-01-27 11:22:48.621
11241100x8000000000000000321921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.619{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mscss7en.dll2023-01-27 11:22:48.619
11241100x8000000000000000321920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.552{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\JitV.dll2023-01-27 11:22:48.552
11241100x8000000000000000321919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.548{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll2023-01-27 11:22:48.548
11241100x8000000000000000321918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vcruntime140.dll2023-01-27 11:22:48.545
11241100x8000000000000000321917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\vccorlib140.dll2023-01-27 11:22:48.544
11241100x8000000000000000321916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.542{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\ucrtbase.dll2023-01-27 11:22:48.542
11241100x8000000000000000321915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.528{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcr120.dll2023-01-27 11:22:48.528
11241100x8000000000000000321914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp140.dll2023-01-27 11:22:48.525
11241100x8000000000000000321913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcp120.dll2023-01-27 11:22:48.523
11241100x8000000000000000321912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.520{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\mfc140u.dll2023-01-27 11:22:48.520
11241100x8000000000000000321911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.490
11241100x8000000000000000321910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.489{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.489
11241100x8000000000000000321909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.489{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\concrt140.dll2023-01-27 11:22:48.488
11241100x8000000000000000321908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.488{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.487
11241100x8000000000000000321907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.484
11241100x8000000000000000321906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.483
11241100x8000000000000000321905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.483{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.481
11241100x8000000000000000321904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.481{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.479
11241100x8000000000000000321903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.477
11241100x8000000000000000321902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.476{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.475
11241100x8000000000000000321901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.475
11241100x8000000000000000321900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.474
11241100x8000000000000000321899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.474
11241100x8000000000000000321898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.474
11241100x8000000000000000321897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.473
11241100x8000000000000000321896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.473
11241100x8000000000000000321895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.473
11241100x8000000000000000321894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.469
11241100x8000000000000000321893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.469
11241100x8000000000000000321892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.468
11241100x8000000000000000321891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.463
11241100x8000000000000000321890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.463{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.462
11241100x8000000000000000321889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.462{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.462
11241100x8000000000000000321888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.461{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL2023-01-27 11:22:48.461
11241100x8000000000000000321887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.461{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140_1.dll2023-01-27 11:22:48.461
11241100x8000000000000000321886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vcruntime140.dll2023-01-27 11:22:48.460
11241100x8000000000000000321885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\vccorlib140.dll2023-01-27 11:22:48.460
11241100x8000000000000000321884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.460{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\ucrtbase.dll2023-01-27 11:22:48.448
23542300x8000000000000000321883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.460{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B755EEA9444801AFD6A2BF8EDBE219E,SHA256=11281C33C54E54B087DCDDDFB9F323DC8CB9B13BCC48C3CB24EF7C9820B178E6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.448{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D7ECF0A4A6ABFDF98E09543AB05CC2,SHA256=1A99DD171F1C7D84D6E2593A84CA06398E93B035A1EBC03F9518CE7DF3C4F52F,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.433{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\offfiltx.dll2023-01-27 11:22:48.433
11241100x8000000000000000321880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll2023-01-27 11:22:48.425
11241100x8000000000000000321879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.414{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcr120.dll2023-01-27 11:22:48.414
11241100x8000000000000000321878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp140.dll2023-01-27 11:22:48.405
11241100x8000000000000000321877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.402{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp120.dll2023-01-27 11:22:48.402
11241100x8000000000000000321876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msgfilt.dll2023-01-27 11:22:48.397
11241100x8000000000000000321875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\mfc140u.dll2023-01-27 11:22:48.396
23542300x8000000000000000447453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:48.038{45AAC21C-9B96-63D3-2F00-00000000BC02}2816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F782B410078CBB2F893449A791CA2748,SHA256=26840C0A44E21B4A6A21188788E98ABBDAB5ABA225699BEB813C899AD91FE624,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\concrt140.dll2023-01-27 11:22:48.351
11241100x8000000000000000321873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.350
11241100x8000000000000000321872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.351{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.350
11241100x8000000000000000321871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.349{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.348
11241100x8000000000000000321870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.348
11241100x8000000000000000321869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.348{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.347
11241100x8000000000000000321868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.347
11241100x8000000000000000321867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.344
11241100x8000000000000000321866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.344
11241100x8000000000000000321865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.344
11241100x8000000000000000321864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.344{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.343
11241100x8000000000000000321863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.343
11241100x8000000000000000321862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.343{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.343
11241100x8000000000000000321861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.341
11241100x8000000000000000321860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.341
11241100x8000000000000000321859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.340
11241100x8000000000000000321858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.340
11241100x8000000000000000321857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.340
11241100x8000000000000000321856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.340
11241100x8000000000000000321855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.340{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.339
11241100x8000000000000000321854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.339{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.336
11241100x8000000000000000321853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.336{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.335
11241100x8000000000000000321852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.335{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.335
11241100x8000000000000000321851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.333{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OWSSUPP.DLL2023-01-27 11:22:48.333
11241100x8000000000000000321850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFPROXY.DLL2023-01-27 11:22:48.319
11241100x8000000000000000321849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NPSPWRAP.DLL2023-01-27 11:22:48.319
11241100x8000000000000000321848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.319{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSB.DLL2023-01-27 11:22:48.314
11241100x8000000000000000321847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEV.DLL2023-01-27 11:22:48.314
11241100x8000000000000000321846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.310{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\JitV.dll2023-01-27 11:22:48.310
11241100x8000000000000000321845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Interceptor.dll2023-01-27 11:22:48.306
11241100x8000000000000000321844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.300{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Integrator.exe2023-01-27 11:22:48.300
11241100x8000000000000000321843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140_1.dll2023-01-27 11:22:48.241
11241100x8000000000000000321842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vcruntime140.dll2023-01-27 11:22:48.240
11241100x8000000000000000321841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\vccorlib140.dll2023-01-27 11:22:48.239
11241100x8000000000000000321840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8FR.DLL2023-01-27 11:22:48.221
11241100x8000000000000000321839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\ucrtbase.dll2023-01-27 11:22:48.221
11241100x8000000000000000321838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.221{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8ES.DLL2023-01-27 11:22:48.221
11241100x8000000000000000321837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msth8EN.DLL2023-01-27 11:22:48.205
11241100x8000000000000000321836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7FR.DLL2023-01-27 11:22:48.205
11241100x8000000000000000321835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcr120.dll2023-01-27 11:22:48.205
11241100x8000000000000000321834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7ES.DLL2023-01-27 11:22:48.190
11241100x8000000000000000321833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\MSHY7EN.DLL2023-01-27 11:22:48.190
11241100x8000000000000000321832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp140.dll2023-01-27 11:22:48.190
11241100x8000000000000000321831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000C.dll2023-01-27 11:22:48.190
11241100x8000000000000000321830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.190{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\msvcp120.dll2023-01-27 11:22:48.190
23542300x8000000000000000321829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=7E28CA982D0207B8FBACBA001B55DE3C,SHA256=1CC6E4C1EC4D3CB5FF85FEB14B9152A664ACB79D66411D836B9C59D8DF313BAA,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS000A.dll2023-01-27 11:22:48.174
11241100x8000000000000000321827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7MODELS0009.dll2023-01-27 11:22:48.174
11241100x8000000000000000321826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSYUBIN7.DLL2023-01-27 11:22:48.174
11241100x8000000000000000321825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Library\SOLVER\SOLVER32.DLL2023-01-27 11:22:48.174
11241100x8000000000000000321824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000C.DLL2023-01-27 11:22:48.174
11241100x8000000000000000321823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA000A.DLL2023-01-27 11:22:48.158
11241100x8000000000000000321822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CSS7DATA0009.DLL2023-01-27 11:22:48.158
11241100x8000000000000000321821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\TRANSMRR.DLL2023-01-27 11:22:48.158
23542300x8000000000000000321820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=B804CA082B6CD88A825A46051584F06F,SHA256=3DDC33F6EF2963407F26C11F5248D84545BF9082CE5E64AB8668A709813A0460,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\1033\LOCALDV.DLL2023-01-27 11:22:48.158
11241100x8000000000000000321818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\wxpr.dll2023-01-27 11:22:48.158
11241100x8000000000000000321817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\mfc140u.dll2023-01-27 11:22:48.143
23542300x8000000000000000321816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:48.127{72106695-B403-63D3-B103-00000000BD02}6092NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Windows\Temp\WIN-HOST-CTUS-A-20230127-1122.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000321815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\C2R64.dll2023-01-27 11:22:48.089
11241100x8000000000000000321814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppvIsvSubsystems64.dll2023-01-27 11:22:48.088
11241100x8000000000000000321813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.086{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\concrt140.dll2023-01-27 11:22:48.084
11241100x8000000000000000321812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.084{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVLP.exe2023-01-27 11:22:48.084
11241100x8000000000000000321811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.082{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate64.exe2023-01-27 11:22:48.081
11241100x8000000000000000321810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate32.exe2023-01-27 11:22:48.081
11241100x8000000000000000321809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\AppVDllSurrogate.exe2023-01-27 11:22:48.079
11241100x8000000000000000321808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.078{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:48.077
11241100x8000000000000000321807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:48.077
11241100x8000000000000000321806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:48.077
11241100x8000000000000000321805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.077{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:48.076
11241100x8000000000000000321804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:48.076
11241100x8000000000000000321803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.076{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-process-l1-1-0.dll2023-01-27 11:22:48.075
11241100x8000000000000000321802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.071{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll2023-01-27 11:22:48.069
11241100x8000000000000000321801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:48.069
11241100x8000000000000000321800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:48.068
11241100x8000000000000000321799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:48.068
11241100x8000000000000000321798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:48.067
11241100x8000000000000000321797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-private-l1-1-0.dll2023-01-27 11:22:48.067
11241100x8000000000000000321796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:48.067
11241100x8000000000000000321795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:48.066
11241100x8000000000000000321794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-localization-l1-2-0.dll2023-01-27 11:22:48.066
11241100x8000000000000000321793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-crt-conio-l1-1-0.dll2023-01-27 11:22:48.066
11241100x8000000000000000321792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.067{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-timezone-l1-1-0.dll2023-01-27 11:22:48.064
11241100x8000000000000000321791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-synch-l1-2-0.dll2023-01-27 11:22:48.064
11241100x8000000000000000321790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-processthreads-l1-1-1.dll2023-01-27 11:22:48.063
11241100x8000000000000000321789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-xstate-l2-1-0.dll2023-01-27 11:22:48.062
11241100x8000000000000000321788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l2-1-0.dll2023-01-27 11:22:48.062
11241100x8000000000000000321787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:48.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Client\api-ms-win-core-file-l1-2-0.dll2023-01-27 11:22:48.062
11241100x8000000000000000321786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe2023-01-27 11:22:48.061
11241100x8000000000000000321785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.023{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe2023-01-27 11:22:48.023
11241100x8000000000000000321784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:48.007{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe2023-01-27 11:22:48.007
11241100x8000000000000000321783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe2023-01-27 11:22:47.991
11241100x8000000000000000321782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:47.991{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe2023-01-27 11:22:47.991
10341000x8000000000000000447474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.868{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.869{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.852{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D000F6EAC4AA557EE845601C284DEE9,SHA256=E7682D395B04FEC5FC79C85F32FBAB170611AA81510C9632B7BC17E8D9FE2804,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.966{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\XLMACRO.CHM2023-01-27 11:22:49.966
11241100x8000000000000000322009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.950{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WordNaiveBayesCommandRanker.txt2023-01-27 11:22:49.950
11241100x8000000000000000322008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPackEula.txt2023-01-27 11:22:49.857
11241100x8000000000000000322007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2021Eula.txt2023-01-27 11:22:49.857
11241100x8000000000000000322006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.857{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\WacLangPack2019Eula.txt2023-01-27 11:22:49.857
11241100x8000000000000000322005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\STSLIST.CHM2023-01-27 11:22:49.760
11241100x8000000000000000322004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\smb_eula.txt2023-01-27 11:22:49.760
11241100x8000000000000000322003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.760{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt2023-01-27 11:22:49.758
11241100x8000000000000000322002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.758{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2021_eula.txt2023-01-27 11:22:49.745
11241100x8000000000000000322001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt2023-01-27 11:22:49.745
11241100x8000000000000000322000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\SkypeForBusinessVDI2021_eula.txt2023-01-27 11:22:49.745
23542300x8000000000000000321999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.508{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD92912EAC32CC737E88DD12F70CFC0B,SHA256=222EFDB63236ED6CBB235A6813899324070275BBA4D9D36A8BAB85E4E7035499,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000321998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.505{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627C46EB5C44F5988F91CF07C081B10C,SHA256=F91238F386D666B990367D63E7C41EF041D3BCB974B6B7AA314C1C783BF86FA3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.399{45AAC21C-B409-63D3-BF03-00000000BC02}26246052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B83-63D3-0500-00000000BC02}416432C:\Windows\system32\csrss.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:49.196{45AAC21C-B409-63D3-BF03-00000000BC02}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000447456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.250{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52674-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
354300x8000000000000000447455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:46.250{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local52674-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-460.attackrange.local389ldap
11241100x8000000000000000321997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.XLS2023-01-27 11:22:49.347
11241100x8000000000000000321996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.XLS2023-01-27 11:22:49.346
11241100x8000000000000000321995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.347{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLV.PPT2023-01-27 11:22:49.346
11241100x8000000000000000321994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.346{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PROTTPLN.PPT2023-01-27 11:22:49.346
11241100x8000000000000000321993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.341{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt2023-01-27 11:22:49.339
11241100x8000000000000000321992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.333{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookTaskNaiveBayesCommandRanker.txt2023-01-27 11:22:49.332
11241100x8000000000000000321991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.331{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookNaiveBayesCommandRanker.txt2023-01-27 11:22:49.331
11241100x8000000000000000321990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.329{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqSendNaiveBayesCommandRanker.txt2023-01-27 11:22:49.329
11241100x8000000000000000321989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.328{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMeetingReqReadNaiveBayesCommandRanker.txt2023-01-27 11:22:49.328
11241100x8000000000000000321988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.327{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailReadNaiveBayesCommandRanker.txt2023-01-27 11:22:49.327
11241100x8000000000000000321987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.325{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookMailNaiveBayesCommandRanker.txt2023-01-27 11:22:49.325
11241100x8000000000000000321986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.323{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookApptNaiveBayesCommandRanker.txt2023-01-27 11:22:49.322
11241100x8000000000000000321985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.222{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\OutlookAddrNaiveBayesCommandRanker.txt2023-01-27 11:22:49.222
11241100x8000000000000000321984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.199{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ORGCHART.CHM2023-01-27 11:22:49.199
11241100x8000000000000000321983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.188{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\MSQRY32.CHM2023-01-27 11:22:49.187
11241100x8000000000000000321982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncBasic_Eula.txt2023-01-27 11:22:49.111
11241100x8000000000000000321981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.108{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\LyncVDI_Eula.txt2023-01-27 11:22:49.107
11241100x8000000000000000321980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt2023-01-27 11:22:49.091
11241100x8000000000000000321979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2021_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer2019_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2021_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack2019_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_M365_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub2019_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientOSub2019_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientLangPack_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientVolumeLicense2019_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientSub_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientARMRefer_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\ClientPreview_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\client_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2021_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\Client2019_eula.txt2023-01-27 11:22:49.064
11241100x8000000000000000321962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2019_eula.txt2023-01-27 11:22:49.049
11241100x8000000000000000321961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime_eula.txt2023-01-27 11:22:49.049
11241100x8000000000000000321960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:49.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\1033\AccessRuntime2021_eula.txt2023-01-27 11:22:49.049
11241100x8000000000000000322015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll2023-01-27 11:22:50.677
11241100x8000000000000000322014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll2023-01-27 11:22:50.677
11241100x8000000000000000322013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:50.677{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe2023-01-27 11:22:50.677
23542300x8000000000000000322012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:50.612{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\respondent-20230127093815-101MD5=FAFF531EDF0CFC03BCEBADF518BA5361,SHA256=88BF976C27BC6DB398DABD588375EB870CCDB2E8695A85E73E9E0CF078A2553A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000322011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:50.550{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9218CD53C9C2F450ABF6FE704510168,SHA256=8797C9F8ADC1A59F2609BC7B6675B2FF8E5C8A0D7C0E56024644782996E1C50B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.672{45AAC21C-B40A-63D3-C103-00000000BC02}45524624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B83-63D3-0500-00000000BC02}416384C:\Windows\system32\csrss.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.469{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.470{45AAC21C-B40A-63D3-C103-00000000BC02}4552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000447478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.111{45AAC21C-B409-63D3-C003-00000000BC02}17081336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
10341000x8000000000000000447475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:50.099{45AAC21C-9B96-63D3-3000-00000000BC02}28483432C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-B409-63D3-C003-00000000BC02}1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190)
11241100x8000000000000000322020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.770{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAMPLES\SOLVSAMP.XLS2023-01-27 11:22:51.770
11241100x8000000000000000322019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:51.744{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Integration\Addons\OneDriveSetup.exe2023-01-27 11:22:51.744
23542300x8000000000000000322018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.606{72106695-9B85-63D3-1B00-00000000BD02}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f154ddf1aa5a8e8d\channels\health\surveyor-20230127093814-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000322017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.584{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F47179D9CC89D09602AAFB328AAD3E,SHA256=BAD9186FF768F7C68AB034250E7D70736FC2EF7E3E5BD37EBAF56E7726E0829D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000447497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B98-63D3-3600-00000000BC02}31363156C:\Windows\system32\conhost.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B85-63D3-0C00-00000000BC02}8365472C:\Windows\system32\svchost.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000447492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B83-63D3-0500-00000000BC02}416532C:\Windows\system32\csrss.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000447491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.642{45AAC21C-9B96-63D3-2F00-00000000BC02}28163532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000447490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.643{45AAC21C-B40B-63D3-C203-00000000BC02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{45AAC21C-9B83-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{45AAC21C-9B96-63D3-2F00-00000000BC02}2816C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000447489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:47.740{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
23542300x8000000000000000447488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.031{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A5201FA07A1EB90EFD788FA6F8A6A7,SHA256=8CD9FFB9DD6515942174F2420FA9EA10975326C0AFFF988E0780B6A508DDD31E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000322016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.269{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-CTUS-A-20230127-1122b.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ACCOLK.DLL2023-01-27 11:22:52.849
11241100x8000000000000000322024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.849{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACEDAO.DLL2023-01-27 11:22:52.849
11241100x8000000000000000322023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:52.628{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCWIZ.DLL2023-01-27 11:22:52.627
11241100x8000000000000000322022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:52.624{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ACCICONS.EXE2023-01-27 11:22:52.624
23542300x8000000000000000322021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.592{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21185B957A735BBEFE486683E5E7BB7,SHA256=9B7E2684862CE4C3A62EE88E341C59585A580DD27DD26804D8A369085B275463,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.780{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8780856D97B81386002FD772C6228A0,SHA256=791D1F7173A9384C31D8D9532174F972DD4474EC5903A51A6A66B226C7B65126,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000447498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.139{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC610E28001EB0A3857B4DFA17ACD3,SHA256=B35A6F792157DB7455D8522138F406FDFD877A98B0591750057EA76AD86251FF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000322060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.828{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45EA5913BFEF55D14BED3A570CF4831,SHA256=8E06897D193ECD6264B7C0B2B38DC100F310F827168040E763CA7D25920286F4,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.Runtime.InteropServices.RuntimeInformation.dll2023-01-27 11:22:53.828
11241100x8000000000000000322058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.828{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll2023-01-27 11:22:53.827
11241100x8000000000000000322057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll2023-01-27 11:22:53.814
11241100x8000000000000000322056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll2023-01-27 11:22:53.814
11241100x8000000000000000322055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.814{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll2023-01-27 11:22:53.569
10341000x8000000000000000322054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.689{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.518{72106695-B40D-63D3-B303-00000000BD02}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:53.341{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099331F536251554CD577D42BC294B2F,SHA256=7DB420DFEA69F90415558806B7B00274B7577F32B480122E5C0ED331847F3EB1,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.569{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll2023-01-27 11:22:53.569
11241100x8000000000000000322045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.568{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll2023-01-27 11:22:53.568
11241100x8000000000000000322044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.568{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll2023-01-27 11:22:53.360
23542300x8000000000000000322043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.531{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=0437BF4F0955874D4DA79AEA907BD746,SHA256=D9B05893A250C8D607753978E5F86B250C05D8D74F7AA1117F1D0EF167CC62E9,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000322042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:51.331{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50975-false10.0.1.12-8000-
10341000x8000000000000000322041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:53.492{72106695-9B85-63D3-1700-00000000BD02}12242536C:\Windows\System32\svchost.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll2023-01-27 11:22:53.359
11241100x8000000000000000322039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.Json.dll2023-01-27 11:22:53.359
11241100x8000000000000000322038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.359{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Telemetry.EventFlags.dll2023-01-27 11:22:53.358
11241100x8000000000000000322037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll2023-01-27 11:22:53.358
11241100x8000000000000000322036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Extensions.Logging.Abstractions.dll2023-01-27 11:22:53.358
11241100x8000000000000000322035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.358{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Workbook.dll2023-01-27 11:22:53.357
11241100x8000000000000000322034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Views.dll2023-01-27 11:22:53.357
11241100x8000000000000000322033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.UWP.dll2023-01-27 11:22:53.357
11241100x8000000000000000322032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.357{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.StreamerUI.dll2023-01-27 11:22:53.356
11241100x8000000000000000322031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Service.dll2023-01-27 11:22:53.354
11241100x8000000000000000322030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Serial.dll2023-01-27 11:22:53.354
11241100x8000000000000000322029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.354{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Manifest.dll2023-01-27 11:22:53.352
11241100x8000000000000000322028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.352{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll2023-01-27 11:22:53.352
11241100x8000000000000000322027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.101{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Core.dll2023-01-27 11:22:53.101
11241100x8000000000000000322026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:53.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\ColleagueImport.dll2023-01-27 11:22:52.849
10341000x8000000000000000322130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.724{72106695-B40E-63D3-B403-00000000BD02}7406112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll2023-01-27 11:22:54.708
11241100x8000000000000000322128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll2023-01-27 11:22:54.708
11241100x8000000000000000322127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.ProgramSynthesis.dll2023-01-27 11:22:54.708
11241100x8000000000000000322126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll2023-01-27 11:22:54.708
11241100x8000000000000000322125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll2023-01-27 11:22:54.708
11241100x8000000000000000322124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.Library45.dll2023-01-27 11:22:54.708
11241100x8000000000000000322123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.dll2023-01-27 11:22:54.708
11241100x8000000000000000322122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.Shared.dll2023-01-27 11:22:54.708
11241100x8000000000000000322121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.WebViews.Windows.EdgeChromium.dll2023-01-27 11:22:54.708
11241100x8000000000000000322120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.708{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll2023-01-27 11:22:54.609
23542300x8000000000000000447501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:54.431{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3856807CDE20AC3DAC7618F4A9A35BF8,SHA256=99ADE4A565276E573C740B41E119B4EE176CC1117B7B357316C9F9F90435405D,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Shims.dll2023-01-27 11:22:54.609
11241100x8000000000000000322118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll2023-01-27 11:22:54.609
11241100x8000000000000000322117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.609{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll2023-01-27 11:22:54.608
11241100x8000000000000000322116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll2023-01-27 11:22:54.608
11241100x8000000000000000322115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe2023-01-27 11:22:54.608
11241100x8000000000000000322114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.608{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll2023-01-27 11:22:54.607
11241100x8000000000000000322113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.EventSource.dll2023-01-27 11:22:54.607
11241100x8000000000000000322112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll2023-01-27 11:22:54.607
11241100x8000000000000000322111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.dll2023-01-27 11:22:54.607
11241100x8000000000000000322110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.607{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll2023-01-27 11:22:54.606
11241100x8000000000000000322109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.606{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll2023-01-27 11:22:54.605
11241100x8000000000000000322108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.604{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe2023-01-27 11:22:54.604
11241100x8000000000000000322107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.601{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe2023-01-27 11:22:54.601
11241100x8000000000000000322106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:54.601{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe2023-01-27 11:22:54.600
23542300x8000000000000000322105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.568{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=604BCF9BD2FD101C1B69B261791092F4,SHA256=9246B38D41CE27EB5BFE93E9FBE449BA599C31F6896F8CA192FA55A46971B0B1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000322104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.745{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50977-false72.21.91.29-80http
354300x8000000000000000322103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:52.625{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50976-false51.104.15.253-443https
10341000x8000000000000000322102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.518{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.516{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B84-63D3-0500-00000000BD02}4121048C:\Windows\system32\csrss.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.515{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.358{72106695-B40E-63D3-B403-00000000BD02}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x8000000000000000322094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM2023-01-27 11:22:54.309
11241100x8000000000000000322093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM2023-01-27 11:22:54.309
11241100x8000000000000000322092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBLR6.CHM2023-01-27 11:22:54.308
11241100x8000000000000000322091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.308{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\VBAOWS10.CHM2023-01-27 11:22:54.307
11241100x8000000000000000322090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM2023-01-27 11:22:54.307
11241100x8000000000000000322089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBENDF98.CHM2023-01-27 11:22:54.307
11241100x8000000000000000322088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.307{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM2023-01-27 11:22:54.307
11241100x8000000000000000322087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.306{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM2023-01-27 11:22:54.305
11241100x8000000000000000322086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.290{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM2023-01-27 11:22:54.290
11241100x8000000000000000322085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.288{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM2023-01-27 11:22:54.287
11241100x8000000000000000322084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10R.CHM2023-01-27 11:22:54.286
11241100x8000000000000000322083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.286{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ADO210.CHM2023-01-27 11:22:54.285
11241100x8000000000000000322082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Packaging.dll2023-01-27 11:22:54.275
11241100x8000000000000000322081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.276{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll2023-01-27 11:22:54.275
11241100x8000000000000000322080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.274{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll2023-01-27 11:22:54.272
11241100x8000000000000000322079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\EEINTL.DLL2023-01-27 11:22:54.273
11241100x8000000000000000322078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.268{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.dll2023-01-27 11:22:54.267
11241100x8000000000000000322077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.267{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.UI.Extension.dll2023-01-27 11:22:54.265
23542300x8000000000000000322076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.194{72106695-B402-63D3-B003-00000000BD02}3780WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journalMD5=9401611DCE9F0B7D4453FA874B37FF66,SHA256=9168922BF719C301820EBC7A41E2397B302203595F42AF285AEA52B6F1148BFC,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Extensions.dll2023-01-27 11:22:54.112
11241100x8000000000000000322074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll2023-01-27 11:22:54.112
11241100x8000000000000000322073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll2023-01-27 11:22:54.112
11241100x8000000000000000322072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.112{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.AddinTelemetry.dll2023-01-27 11:22:54.112
10341000x8000000000000000322071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:54.081{72106695-B40D-63D3-B303-00000000BD02}58723960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll2023-01-27 11:22:54.047
11241100x8000000000000000322069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll2023-01-27 11:22:54.047
11241100x8000000000000000322068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll2023-01-27 11:22:54.047
11241100x8000000000000000322067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll2023-01-27 11:22:54.047
11241100x8000000000000000322066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll2023-01-27 11:22:54.047
11241100x8000000000000000322065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\OTelCS.dll2023-01-27 11:22:54.047
11241100x8000000000000000322064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyClustering.dll2023-01-27 11:22:54.047
11241100x8000000000000000322063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.dll2023-01-27 11:22:54.047
11241100x8000000000000000322062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll2023-01-27 11:22:54.047
11241100x8000000000000000322061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:54.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll2023-01-27 11:22:53.814
23542300x8000000000000000447503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:55.629{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80C8C36CA3960B65C5A732C8B890561,SHA256=30C937AD71FE18CFD9E1682F4FDB698BB49B10195EACD05BA79B13CD290B0812,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll2023-01-27 11:22:55.976
11241100x8000000000000000322212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.976{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:55.975
11241100x8000000000000000322211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.975{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll2023-01-27 11:22:55.975
11241100x8000000000000000322210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.975{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll2023-01-27 11:22:55.975
11241100x8000000000000000322209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:55.974
11241100x8000000000000000322208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll2023-01-27 11:22:55.974
11241100x8000000000000000322207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.974{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:55.971
11241100x8000000000000000322206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.972{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll2023-01-27 11:22:55.972
11241100x8000000000000000322205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.971{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll2023-01-27 11:22:55.971
11241100x8000000000000000322204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.971{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Common.Wizard.dll2023-01-27 11:22:55.967
11241100x8000000000000000322203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.967{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll2023-01-27 11:22:55.965
11241100x8000000000000000322202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.dll2023-01-27 11:22:55.965
11241100x8000000000000000322201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll2023-01-27 11:22:55.965
11241100x8000000000000000322200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:55.965
11241100x8000000000000000322199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.965{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Interop.MSDASC.dll2023-01-27 11:22:55.964
11241100x8000000000000000322198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.WinForms.dll2023-01-27 11:22:55.963
11241100x8000000000000000322197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll2023-01-27 11:22:55.963
11241100x8000000000000000322196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.963{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.dll2023-01-27 11:22:55.962
11241100x8000000000000000322195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.962{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Common.dll2023-01-27 11:22:55.962
11241100x8000000000000000322194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.962{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll2023-01-27 11:22:55.961
11241100x8000000000000000322193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.961{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL2023-01-27 11:22:55.947
11241100x8000000000000000322192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.961{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll2023-01-27 11:22:55.947
11241100x8000000000000000322191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.947{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.dll2023-01-27 11:22:55.946
11241100x8000000000000000322190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.946{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportViewer.Common.dll2023-01-27 11:22:55.946
11241100x8000000000000000322189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.945{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll2023-01-27 11:22:55.944
11241100x8000000000000000322188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.MDXQueryGenerator.dll2023-01-27 11:22:55.944
11241100x8000000000000000322187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.944{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll2023-01-27 11:22:55.942
11241100x8000000000000000322186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll2023-01-27 11:22:55.942
11241100x8000000000000000322185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.943{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.DLL2023-01-27 11:22:55.942
11241100x8000000000000000322184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.942{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll2023-01-27 11:22:55.941
11241100x8000000000000000322183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.940{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll2023-01-27 11:22:55.899
11241100x8000000000000000322182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.899{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:55.898
11241100x8000000000000000322181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll2023-01-27 11:22:55.728
11241100x8000000000000000322180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL2023-01-27 11:22:55.728
11241100x8000000000000000322179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll2023-01-27 11:22:55.729
11241100x8000000000000000322178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll2023-01-27 11:22:55.728
11241100x8000000000000000322177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:55.728
11241100x8000000000000000322176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.898{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll2023-01-27 11:22:55.728
11241100x8000000000000000322175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.727{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll2023-01-27 11:22:55.727
11241100x8000000000000000322174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.726{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll2023-01-27 11:22:55.726
11241100x8000000000000000322173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.726{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.XmlSerializers.dll2023-01-27 11:22:55.725
11241100x8000000000000000322172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:55.725
11241100x8000000000000000322171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:55.700
11241100x8000000000000000322170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.725{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll2023-01-27 11:22:55.725
23542300x8000000000000000322169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.723{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC38EF57F17CF4EE69B45A166544D09,SHA256=90EB04E7AD372EF02D05C461CF196162E586957B2E3870B2168B075E94E70658,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.700{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll2023-01-27 11:22:55.699
11241100x8000000000000000322167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.700{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL2023-01-27 11:22:55.699
11241100x8000000000000000322166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL2023-01-27 11:22:55.699
11241100x8000000000000000322165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL2023-01-27 11:22:55.699
11241100x8000000000000000322164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL2023-01-27 11:22:55.698
11241100x8000000000000000322163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.699{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONGRAPHICS.DLL2023-01-27 11:22:55.698
11241100x8000000000000000322162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.698{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll2023-01-27 11:22:55.698
11241100x8000000000000000322161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\OUTLVBA.DLL2023-01-27 11:22:55.697
11241100x8000000000000000322160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL2023-01-27 11:22:55.696
11241100x8000000000000000322159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.697{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL2023-01-27 11:22:55.696
11241100x8000000000000000322158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.696{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL2023-01-27 11:22:55.696
11241100x8000000000000000322157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.695{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL2023-01-27 11:22:55.695
11241100x8000000000000000322156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.695{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL2023-01-27 11:22:55.423
11241100x8000000000000000322155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL2023-01-27 11:22:55.423
11241100x8000000000000000322154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL2023-01-27 11:22:55.422
11241100x8000000000000000322153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll2023-01-27 11:22:55.422
11241100x8000000000000000322152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.WinForms.dll2023-01-27 11:22:55.421
11241100x8000000000000000322151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.421{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Collections.Immutable.dll2023-01-27 11:22:55.421
11241100x8000000000000000322150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.421{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\PRIVATE_ODBC32.dll2023-01-27 11:22:55.160
10341000x8000000000000000322149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.235{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.233{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.232{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.074{72106695-B40F-63D3-B503-00000000BD02}480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x8000000000000000322141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\pdf2text.dll2023-01-27 11:22:55.158
11241100x8000000000000000322140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.158{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll2023-01-27 11:22:55.157
11241100x8000000000000000322139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\WebView2Loader.dll2023-01-27 11:22:55.157
11241100x8000000000000000322138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Newtonsoft.Json.dll2023-01-27 11:22:55.156
11241100x8000000000000000322137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Spatial.NetFX35.dll2023-01-27 11:22:55.156
11241100x8000000000000000322136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll2023-01-27 11:22:55.155
11241100x8000000000000000322135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.156{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll2023-01-27 11:22:55.155
11241100x8000000000000000322134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Web.WebView2.Core.dll2023-01-27 11:22:55.154
11241100x8000000000000000322133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll2023-01-27 11:22:55.154
11241100x8000000000000000322132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll2023-01-27 11:22:55.154
11241100x8000000000000000322131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:55.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll2023-01-27 11:22:54.708
354300x8000000000000000447502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:51.986{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A49690-
11241100x8000000000000000322317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.968{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\msipc.dll2023-01-27 11:22:56.968
11241100x8000000000000000322316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.968{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSIPC\ipcsecproc.dll2023-01-27 11:22:56.968
23542300x8000000000000000322315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.953{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A357C9A5E5A047B8024AEBB9C34305,SHA256=0B90388DDC49E2B34A1125A3BAF7EDE49D4363D7783044FEC809417F183CF651,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000322314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.929{72106695-B410-63D3-B703-00000000BD02}29364468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000447506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:56.725{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032D9C1F947F240D9C7CB3E466559E54,SHA256=45A00DCAF6797C37695FC3E99EEB2C4D344231211D4C30D1EEABFEB4E2C6CE50,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000322313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.699{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.695{72106695-9B84-63D3-0500-00000000BD02}412428C:\Windows\system32\csrss.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.694{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.694{72106695-B410-63D3-B703-00000000BD02}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x8000000000000000322305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSAEXP30.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSBARCODE.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OART.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSACCESS.EXE2023-01-27 11:22:56.657
11241100x8000000000000000322301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBROAMINGPROXY.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MORPH9.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MINSBPROXY.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MIMEDIR.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPISHELL.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MAPIPH.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\LyncDesktopSmartBitmapResources.dll2023-01-27 11:22:56.657
11241100x8000000000000000322294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IVY.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INTLDATE.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\INKCOMMENT.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IGX.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEContentService.exe2023-01-27 11:22:56.657
11241100x8000000000000000322289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\IEAWSDC.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Httpproxy.DLL2023-01-27 11:22:56.657
11241100x8000000000000000322287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GRAPH.EXE2023-01-27 11:22:56.657
11241100x8000000000000000322286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.657{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKWord.dll2023-01-27 11:22:56.365
10341000x8000000000000000322285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.393{72106695-B40F-63D3-B603-00000000BD02}25805288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKPowerPoint.dll2023-01-27 11:22:56.364
11241100x8000000000000000322283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.364{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GKExcel.dll2023-01-27 11:22:56.364
11241100x8000000000000000322282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\GFX.DLL2023-01-27 11:22:56.363
11241100x8000000000000000322281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.363{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityDataHandler.dll2023-01-27 11:22:56.362
11241100x8000000000000000322280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EntityPicker.dll2023-01-27 11:22:56.362
11241100x8000000000000000322279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.362{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXSEC32.DLL2023-01-27 11:22:56.362
11241100x8000000000000000322278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EXCEL.EXE2023-01-27 11:22:56.360
23542300x8000000000000000322277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.360{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E55A51E1209285EE6D2281AB2F0F39,SHA256=66EFA93514B366FC5A38313B0F93D549B4CF70FB560427B8F9768F3E0FA00C62,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL2023-01-27 11:22:56.345
11241100x8000000000000000322275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.360{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMABLT32.DLL2023-01-27 11:22:56.314
11241100x8000000000000000322274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.329{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ENVELOPE.DLL2023-01-27 11:22:56.314
11241100x8000000000000000322273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\TRANSMGR.DLL2023-01-27 11:22:56.314
11241100x8000000000000000322272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mfc140u.dll2023-01-27 11:22:56.314
11241100x8000000000000000322271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.314{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DLGSETP.DLL2023-01-27 11:22:56.097
11241100x8000000000000000322270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.096{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGCORE.DLL2023-01-27 11:22:56.096
11241100x8000000000000000322269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.095{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Cpprest141_2_10.DLL2023-01-27 11:22:56.092
10341000x8000000000000000322268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.094{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\EMSMDB32.DLL2023-01-27 11:22:56.092
11241100x8000000000000000322266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONVERT\RM.DLL2023-01-27 11:22:56.091
10341000x8000000000000000322265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.090{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.089{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.088{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:55.899{72106695-B40F-63D3-B603-00000000BD02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x8000000000000000322258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\DBGHELP.DLL2023-01-27 11:22:56.063
11241100x8000000000000000322257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CNFNOT32.EXE2023-01-27 11:22:56.050
11241100x8000000000000000322256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CLVIEW.EXE2023-01-27 11:22:56.050
11241100x8000000000000000322255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.050{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AutoHelper.dll2023-01-27 11:22:56.050
354300x8000000000000000447505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:53.238{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A54114-
354300x8000000000000000447504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:52.757{45AAC21C-9BA3-63D3-7100-00000000BC02}4052C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-460.attackrange.local52676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-
11241100x8000000000000000322254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CONTAB32.DLL2023-01-27 11:22:56.049
11241100x8000000000000000322253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.049{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\CHART.DLL2023-01-27 11:22:56.049
11241100x8000000000000000322252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.048{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\BIPLAT.DLL2023-01-27 11:22:56.048
11241100x8000000000000000322251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:56.048{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingHookController64.exe2023-01-27 11:22:56.047
11241100x8000000000000000322250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AppSharingChromeHook64.dll2023-01-27 11:22:56.047
11241100x8000000000000000322249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.047{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Appshapi.dll2023-01-27 11:22:56.046
11241100x8000000000000000322248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.046{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHSAPIFE.DLL2023-01-27 11:22:56.045
11241100x8000000000000000322247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vcruntime140_1.dll2023-01-27 11:22:56.045
11241100x8000000000000000322246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHMAIN.DLL2023-01-27 11:22:56.044
11241100x8000000000000000322245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.045{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\AUDIOSEARCHLTS.DLL2023-01-27 11:22:56.044
11241100x8000000000000000322244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.044{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Interfaces.dll2023-01-27 11:22:56.043
11241100x8000000000000000322243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\OFFICE.dll2023-01-27 11:22:56.043
11241100x8000000000000000322242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.RsClient.dll2023-01-27 11:22:56.043
11241100x8000000000000000322241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.043{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\ReportingServicesNativeClient.dll2023-01-27 11:22:56.027
11241100x8000000000000000322240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.027{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\sqmapi.dll2023-01-27 11:22:56.026
11241100x8000000000000000322239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.027{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\UmOutlookAddin.dll2023-01-27 11:22:56.026
11241100x8000000000000000322238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:56.026
11241100x8000000000000000322237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.SqlServer.Types.dll2023-01-27 11:22:56.025
11241100x8000000000000000322236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.026{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Common.dll2023-01-27 11:22:56.025
11241100x8000000000000000322235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.025{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\PowerPivotExcelClientAddIn.dll2023-01-27 11:22:56.024
11241100x8000000000000000322234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.DataWarehouse.dll2023-01-27 11:22:56.024
11241100x8000000000000000322233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.Diagnostics.dll2023-01-27 11:22:56.024
11241100x8000000000000000322232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.024{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll2023-01-27 11:22:56.023
11241100x8000000000000000322231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.023{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.PowerPivot.ExcelAddIn.dll2023-01-27 11:22:56.022
11241100x8000000000000000322230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.021{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportingServices.ReportDesign.Forms.dll2023-01-27 11:22:56.021
11241100x8000000000000000322229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.021{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.DataExtensions.dll2023-01-27 11:22:56.014
11241100x8000000000000000322228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.MDXQueryGenerator.dll2023-01-27 11:22:56.013
11241100x8000000000000000322227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Core.dll2023-01-27 11:22:56.013
11241100x8000000000000000322226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.013{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.WinForms.dll2023-01-27 11:22:56.012
11241100x8000000000000000322225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.012{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.ReportViewer.Common.dll2023-01-27 11:22:56.012
11241100x8000000000000000322224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.Interfaces.DLL2023-01-27 11:22:56.011
11241100x8000000000000000322223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.011{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.DataWarehouse.DLL2023-01-27 11:22:56.010
11241100x8000000000000000322222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Office.Interop.Excel.dll2023-01-27 11:22:56.010
11241100x8000000000000000322221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.010{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.dll2023-01-27 11:22:56.009
11241100x8000000000000000322220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll2023-01-27 11:22:56.009
11241100x8000000000000000322219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Common.dll2023-01-27 11:22:56.009
11241100x8000000000000000322218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.009{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.Recommendation.Client.Picasso.dll2023-01-27 11:22:56.006
11241100x8000000000000000322217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:56.005
11241100x8000000000000000322216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.005{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.XLHost.Modeler.dll2023-01-27 11:22:56.004
11241100x8000000000000000322215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.002{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.SPClient.Interfaces.DLL2023-01-27 11:22:56.001
11241100x8000000000000000322214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:56.001{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ADDINS\PowerPivot Excel Add-inv16\Microsoft.AnalysisServices.Layout.dll2023-01-27 11:22:56.000
23542300x8000000000000000447507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:57.817{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C0DA1ACAA0D9C00BFC1C157154B52,SHA256=4C5A4F50822731EEA98F790C48948F0538AB7AD3E154DDB50D6B8B843C401FC4,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.769{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBCONV.DLL2023-01-27 11:22:57.769
11241100x8000000000000000322431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PTXT9.DLL2023-01-27 11:22:57.768
11241100x8000000000000000322430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PRTF9.DLL2023-01-27 11:22:57.768
11241100x8000000000000000322429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PSTPRX32.DLL2023-01-27 11:22:57.768
11241100x8000000000000000322428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgrammar8.dll2023-01-27 11:22:57.767
11241100x8000000000000000322427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msspell7.dll2023-01-27 11:22:57.767
11241100x8000000000000000322426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PROOF\msgr3jp.dll2023-01-27 11:22:57.766
11241100x8000000000000000322425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.767{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPTICO.EXE2023-01-27 11:22:57.767
11241100x8000000000000000322424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.766{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPSLAX.DLL2023-01-27 11:22:57.766
11241100x8000000000000000322423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.766{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPRESOURCES.DLL2023-01-27 11:22:57.765
11241100x8000000000000000322422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPINTL.COMMON.DLL2023-01-27 11:22:57.765
11241100x8000000000000000322421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.765{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PPCORE.DLL2023-01-27 11:22:57.764
11241100x8000000000000000322420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\POWERPNT.EXE2023-01-27 11:22:57.501
11241100x8000000000000000322419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.501{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PEOPLEDATAHANDLER.DLL2023-01-27 11:22:57.500
11241100x8000000000000000322418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookWebHost.dll2023-01-27 11:22:57.500
11241100x8000000000000000322417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.500{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PDFREFLOW.EXE2023-01-27 11:22:57.500
11241100x8000000000000000322416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrSanBroker.exe2023-01-27 11:22:57.499
11241100x8000000000000000322415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScrBroker.exe2023-01-27 11:22:57.499
11241100x8000000000000000322414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.499{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OsfTaskengine.dll2023-01-27 11:22:57.499
11241100x8000000000000000322413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeJs_Core.DLL2023-01-27 11:22:57.498
11241100x8000000000000000322412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OfficeScr.dll2023-01-27 11:22:57.498
11241100x8000000000000000322411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.498{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLVBS.DLL2023-01-27 11:22:57.498
11241100x8000000000000000322410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLRPC.DLL2023-01-27 11:22:57.497
11241100x8000000000000000322409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcPubMgr.exe2023-01-27 11:22:57.497
11241100x8000000000000000322408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLPH.DLL2023-01-27 11:22:57.497
11241100x8000000000000000322407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.497{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OcOffice.dll2023-01-27 11:22:57.496
11241100x8000000000000000322406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.496{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OutlookServicing.DLL2023-01-27 11:22:57.496
11241100x8000000000000000322405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.492{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLMIME.DLL2023-01-27 11:22:57.492
11241100x8000000000000000322404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.491{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLOOK.EXE2023-01-27 11:22:57.490
11241100x8000000000000000322403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.490{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLCTL.DLL2023-01-27 11:22:57.486
11241100x8000000000000000322402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.490{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OUTLLIBR.COMMON.DLL2023-01-27 11:22:57.490
11241100x8000000000000000322401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.486{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFUI.DLL2023-01-27 11:22:57.485
11241100x8000000000000000322400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.485{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFSHARED.DLL2023-01-27 11:22:57.485
11241100x8000000000000000322399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.485{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ORGCHART.EXE2023-01-27 11:22:57.484
11241100x8000000000000000322398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTEM.EXE2023-01-27 11:22:57.483
11241100x8000000000000000322397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSFROAMINGPROXY.DLL2023-01-27 11:22:57.483
11241100x8000000000000000322396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.484{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONWordAddin.dll2023-01-27 11:22:57.483
11241100x8000000000000000322395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.482{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OSF.DLL2023-01-27 11:22:57.481
11241100x8000000000000000322394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.480{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONLNTCOMLIB.DLL2023-01-27 11:22:57.480
11241100x8000000000000000322393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.478{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONRES.DLL2023-01-27 11:22:57.478
11241100x8000000000000000322392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.478{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONPPTAddin.dll2023-01-27 11:22:57.477
11241100x8000000000000000322391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.477{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONFILTER.DLL2023-01-27 11:22:57.477
11241100x8000000000000000322390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.477{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIE.dll2023-01-27 11:22:57.476
11241100x8000000000000000322389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.475{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnPPT.dll2023-01-27 11:22:57.475
11241100x8000000000000000322388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnIELinkedNotes.dll2023-01-27 11:22:57.474
11241100x8000000000000000322387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\onmain.DLL2023-01-27 11:22:57.474
11241100x8000000000000000322386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.474{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONENOTE.EXE2023-01-27 11:22:57.473
11241100x8000000000000000322385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONECLIENTW32.DLL2023-01-27 11:22:57.473
11241100x8000000000000000322384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.473{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnWD.dll2023-01-27 11:22:57.473
11241100x8000000000000000322383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ONBttnOL.dll2023-01-27 11:22:57.472
11241100x8000000000000000322382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSXP32.DLL2023-01-27 11:22:57.471
11241100x8000000000000000322381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.470{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMSMAIN.DLL2023-01-27 11:22:57.470
11241100x8000000000000000322380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMRAUT.DLL2023-01-27 11:22:57.469
11241100x8000000000000000322379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.469{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OMICAUT.DLL2023-01-27 11:22:57.469
11241100x8000000000000000322378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLMAPI32.DLL2023-01-27 11:22:57.468
11241100x8000000000000000322377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.466{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLKFSTUB.DLL2023-01-27 11:22:57.465
11241100x8000000000000000322376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OLCFG.EXE2023-01-27 11:22:57.464
11241100x8000000000000000322375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.465{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OIMG.DLL2023-01-27 11:22:57.459
11241100x8000000000000000322374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.459{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFRHD.DLL2023-01-27 11:22:57.456
11241100x8000000000000000322373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.454{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_WORD.DLL2023-01-27 11:22:57.446
11241100x8000000000000000322372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.453{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll2023-01-27 11:22:57.433
11241100x8000000000000000322371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.446{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OFFICEJS_EXCEL.DLL2023-01-27 11:22:57.446
11241100x8000000000000000322370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.432{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll2023-01-27 11:22:57.423
11241100x8000000000000000322369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.425{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll2023-01-27 11:22:57.424
11241100x8000000000000000322368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.424{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll2023-01-27 11:22:57.424
23542300x8000000000000000322367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.424{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-journalMD5=2AC5F3AFCAB502E1C9D4338AB25A4649,SHA256=31947DE749CA9A6E56EAA58DD40A0E6047A5AD46D2FB23E163054D20AAAA70E2,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll2023-01-27 11:22:57.423
11241100x8000000000000000322365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll2023-01-27 11:22:57.423
11241100x8000000000000000322364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.423{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libcrypto-1_1-x64.dll2023-01-27 11:22:57.422
10341000x8000000000000000322363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.422{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.422{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll2023-01-27 11:22:57.420
10341000x8000000000000000322361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.421{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.421{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.420{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.420{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
11241100x8000000000000000322357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.419{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\sbicudt58_64.dll2023-01-27 11:22:57.419
10341000x8000000000000000322356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.418{72106695-9B84-63D3-0500-00000000BD02}4121812C:\Windows\system32\csrss.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.413{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.251{72106695-B411-63D3-B803-00000000BD02}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x8000000000000000322353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.411{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll2023-01-27 11:22:57.410
11241100x8000000000000000322352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.409{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll2023-01-27 11:22:57.409
23542300x8000000000000000322351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.408{72106695-9B85-63D3-1F00-00000000BD02}1980NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=72E1696A3B17613CB1F5C69C5375EC87,SHA256=6ACD247E50A51CA31B689530805F80E52FFEAF4668F46B3ED2E64C44F26CF41C,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.398{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libcrypto-1_1-x64.dll2023-01-27 11:22:57.398
11241100x8000000000000000322349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCSCLIENTWIN32.DLL2023-01-27 11:22:57.386
11241100x8000000000000000322348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OCHelper.dll2023-01-27 11:22:57.372
23542300x8000000000000000322347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.384{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40882DA814495680525F9E84557E65B,SHA256=40CAB07430FFD6A0EAEB055228A230A13DD79C921A64345C1BC5BB73FED76C67,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\OARTODF.DLL2023-01-27 11:22:57.129
11241100x8000000000000000322345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAME.DLL2023-01-27 11:22:57.128
11241100x8000000000000000322344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Lexicons0011.DLL2023-01-27 11:22:57.129
11241100x8000000000000000322343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Models0011.DLL2023-01-27 11:22:57.129
11241100x8000000000000000322342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLSERVER.EXE2023-01-27 11:22:57.128
11241100x8000000000000000322341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.127{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NL7Data0011.DLL2023-01-27 11:22:57.126
11241100x8000000000000000322340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.126{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MeetingJoinAxOC.dll2023-01-27 11:22:57.125
11241100x8000000000000000322339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.125{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\NAMECONTROLPROXY.DLL2023-01-27 11:22:57.125
11241100x8000000000000000322338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.125{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Office.PolicyTips.dll2023-01-27 11:22:57.120
23542300x8000000000000000322337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:57.123{72106695-B405-63D3-B203-00000000BD02}4756WIN-HOST-CTUS-A\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-journalMD5=154FA03BC7C5DE95D2C9A28C56C9E0B3,SHA256=6CB765900C9F8570DCCE9565AF38AEA17ECABEB100FA56AC8A3D82E3CFD3F4CC,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.119{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Microsoft.Ink.Recognition.DLL2023-01-27 11:22:57.119
11241100x8000000000000000322335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.119{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSVCP140_APP.DLL2023-01-27 11:22:57.118
11241100x8000000000000000322334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSRTEDIT.DLL2023-01-27 11:22:57.118
11241100x8000000000000000322333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ODBC32.DLL2023-01-27 11:22:57.118
11241100x8000000000000000322332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.117{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSQRY32.EXE2023-01-27 11:22:57.116
11241100x8000000000000000322331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPUB.EXE2023-01-27 11:22:57.116
11241100x8000000000000000322330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.115{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSPST32.DLL2023-01-27 11:22:57.106
11241100x8000000000000000322329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSVG.DLL2023-01-27 11:22:57.105
11241100x8000000000000000322328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.106{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSTYLE.DLL2023-01-27 11:22:57.104
11241100x8000000000000000322327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.104{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSREC.EXE2023-01-27 11:22:57.104
11241100x8000000000000000322326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.104{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOSPECTRE.DLL2023-01-27 11:22:57.103
11241100x8000000000000000322325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHEVI.DLL2023-01-27 11:22:57.103
11241100x8000000000000000322324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.103{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOCR.DLL2023-01-27 11:22:57.102
11241100x8000000000000000322323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:57.102{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOHTMED.EXE2023-01-27 11:22:57.102
11241100x8000000000000000322322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL2023-01-27 11:22:57.092
11241100x8000000000000000322321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOADFPS.DLL2023-01-27 11:22:57.091
11241100x8000000000000000322320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIANEXT.DLL2023-01-27 11:22:57.090
11241100x8000000000000000322319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.088{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIACAPI.DLL2023-01-27 11:22:57.088
11241100x8000000000000000322318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:57.081{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\MSOARIA.DLL2023-01-27 11:22:57.081
23542300x8000000000000000447508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:58.915{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96230AA0D4DE6F4D407FDD371AF9E8A1,SHA256=C53CB5A3FD4CE0FCE324CFD5D5620C9DFA946E25CBBD34049981B6D96D3BB814,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:22:58.989
11241100x8000000000000000322633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.989{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:22:58.988
11241100x8000000000000000322632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.988{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:22:58.988
11241100x8000000000000000322631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.988{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:22:58.987
11241100x8000000000000000322630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:22:58.987
11241100x8000000000000000322629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:22:58.987
11241100x8000000000000000322628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.987{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_XPS.DLL2023-01-27 11:22:58.986
11241100x8000000000000000322627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.986{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL2023-01-27 11:22:58.986
11241100x8000000000000000322626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL2023-01-27 11:22:58.984
11241100x8000000000000000322625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.984{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrwbin_xl.dll2023-01-27 11:22:58.983
11241100x8000000000000000322624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmlrw_xl.dll2023-01-27 11:22:58.983
11241100x8000000000000000322623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.983{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmtransactions_xl.dll2023-01-27 11:22:58.983
11241100x8000000000000000322622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.982{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmpersistence_xl.dll2023-01-27 11:22:58.982
11241100x8000000000000000322621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmcachemgr_xl.dll2023-01-27 11:22:58.981
11241100x8000000000000000322620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\tmapi_xl.dll2023-01-27 11:22:58.981
11241100x8000000000000000322619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.981{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\System.Spatial.dll2023-01-27 11:22:58.880
11241100x8000000000000000322618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.980{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msolap_xl.dll2023-01-27 11:22:58.980
11241100x8000000000000000322617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.978{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmgdsrv_xl.dll2023-01-27 11:22:58.977
11241100x8000000000000000322616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.977{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\msmdlocal_xl.dll2023-01-27 11:22:58.973
11241100x8000000000000000322615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.977{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\adal.dll2023-01-27 11:22:58.879
11241100x8000000000000000322614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.973{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.dll2023-01-27 11:22:58.880
23542300x8000000000000000322613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.911{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79653C2E8052C3FFF7DA31553A581B1,SHA256=08F467A9D7C0423D7A3827E052E6BB5BF176FD63B19F6D75DC04666FA981FC9C,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.878{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Office.Excel.DataModel.dll2023-01-27 11:22:58.878
11241100x8000000000000000322611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.878{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Tabular.dll2023-01-27 11:22:58.877
11241100x8000000000000000322610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.SPClient.Interfaces.dll2023-01-27 11:22:58.877
11241100x8000000000000000322609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Edm.dll2023-01-27 11:22:58.877
11241100x8000000000000000322608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.Odata.dll2023-01-27 11:22:58.876
11241100x8000000000000000322607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.877{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:58.876
11241100x8000000000000000322606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.875{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.DataFeedClient.dll2023-01-27 11:22:58.874
11241100x8000000000000000322605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:58.873
11241100x8000000000000000322604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL2023-01-27 11:22:58.873
11241100x8000000000000000322603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.873{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.Amo.Core.dll2023-01-27 11:22:58.872
11241100x8000000000000000322602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Excel.AdomdClient.dll2023-01-27 11:22:58.872
11241100x8000000000000000322601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:58.787
11241100x8000000000000000322600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmgdsrv_xl.dll2023-01-27 11:22:58.784
11241100x8000000000000000322599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.SqlServer.Configuration.SString.dll2023-01-27 11:22:58.783
11241100x8000000000000000322598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll2023-01-27 11:22:58.781
11241100x8000000000000000322597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.781{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.dll2023-01-27 11:22:58.779
11241100x8000000000000000322596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.872{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:58.871
11241100x8000000000000000322595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.785{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:58.785
11241100x8000000000000000322594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.784{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll2023-01-27 11:22:58.784
11241100x8000000000000000322593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.783{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll2023-01-27 11:22:58.781
11241100x8000000000000000322592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dll2023-01-27 11:22:58.775
11241100x8000000000000000322591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll2023-01-27 11:22:58.775
11241100x8000000000000000322590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.775{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msmdlocal_xl.dll2023-01-27 11:22:58.774
11241100x8000000000000000322589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.772{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Office.Excel.DataModel.dll2023-01-27 11:22:58.772
11241100x8000000000000000322588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.771{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.dll2023-01-27 11:22:58.769
11241100x8000000000000000322587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.770{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Excel.BackEnd.dll2023-01-27 11:22:58.768
11241100x8000000000000000322586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll2023-01-27 11:22:58.765
11241100x8000000000000000322585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.768{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll2023-01-27 11:22:58.764
11241100x8000000000000000322584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.764{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL2023-01-27 11:22:58.759
11241100x8000000000000000322583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.753{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll2023-01-27 11:22:58.747
11241100x8000000000000000322582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.747{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AIRWER.DLL2023-01-27 11:22:58.747
11241100x8000000000000000322581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.743{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL2023-01-27 11:22:58.743
11241100x8000000000000000322580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.741{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL2023-01-27 11:22:58.741
11241100x8000000000000000322579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.741{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADAL.DLL2023-01-27 11:22:58.741
11241100x8000000000000000322578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.739{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEXBE.DLL2023-01-27 11:22:58.737
11241100x8000000000000000322577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.738{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL2023-01-27 11:22:58.738
11241100x8000000000000000322576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.736{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWSS.DLL2023-01-27 11:22:58.736
11241100x8000000000000000322575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL2023-01-27 11:22:58.735
11241100x8000000000000000322574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACETXT.DLL2023-01-27 11:22:58.735
11241100x8000000000000000322573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.735{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL2023-01-27 11:22:58.734
11241100x8000000000000000322572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.734{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL2023-01-27 11:22:58.730
11241100x8000000000000000322571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.720{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL2023-01-27 11:22:58.654
11241100x8000000000000000322570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.661{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCH.DLL2023-01-27 11:22:58.591
11241100x8000000000000000322569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.658{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEERR.DLL2023-01-27 11:22:58.591
11241100x8000000000000000322568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.593{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL2023-01-27 11:22:58.588
11241100x8000000000000000322567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.588{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL2023-01-27 11:22:58.586
11241100x8000000000000000322566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.576{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEDAO.DLL2023-01-27 11:22:58.575
11241100x8000000000000000322565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\ucrtbase.dll2023-01-27 11:22:58.574
11241100x8000000000000000322564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll2023-01-27 11:22:58.574
11241100x8000000000000000322563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.575{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL2023-01-27 11:22:58.574
11241100x8000000000000000322562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\itircl55.dll2023-01-27 11:22:58.574
11241100x8000000000000000322561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\MSClientDataMgr\MSCDM.DLL2023-01-27 11:22:58.574
11241100x8000000000000000322560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.574{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\MSOEURO.DLL2023-01-27 11:22:58.573
11241100x8000000000000000322559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.573{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll2023-01-27 11:22:58.572
11241100x8000000000000000322558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.572{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll2023-01-27 11:22:58.559
11241100x8000000000000000322557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.559{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\hxds.dll2023-01-27 11:22:58.559
11241100x8000000000000000322556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll2023-01-27 11:22:58.558
11241100x8000000000000000322555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.558{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll2023-01-27 11:22:58.557
11241100x8000000000000000322554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE2023-01-27 11:22:58.557
11241100x8000000000000000322553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll2023-01-27 11:22:58.557
11241100x8000000000000000322552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL2023-01-27 11:22:58.556
11241100x8000000000000000322551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.557{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGCORE.DLL2023-01-27 11:22:58.556
11241100x8000000000000000322550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.555{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\vccorlib110.dll2023-01-27 11:22:58.555
11241100x8000000000000000322549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.555{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\v8jsi.dll2023-01-27 11:22:58.555
11241100x8000000000000000322548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrhw.dll2023-01-27 11:22:58.552
11241100x8000000000000000322547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rtmmvrcs.dll2023-01-27 11:22:58.552
11241100x8000000000000000322546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\scdec.dll2023-01-27 11:22:58.552
11241100x8000000000000000322545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.553{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\sdxbgt.dll2023-01-27 11:22:58.552
11241100x8000000000000000322544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-win32.dll2023-01-27 11:22:58.551
11241100x8000000000000000322543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\react-native-sdk.dll2023-01-27 11:22:58.550
11241100x8000000000000000322542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.551{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\rdpqoemetrics.dll2023-01-27 11:22:58.550
11241100x8000000000000000322541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.550{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\protocolhandler.exe2023-01-27 11:22:58.549
11241100x8000000000000000322540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.549{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\officeappguardwin32.exe2023-01-27 11:22:58.548
11241100x8000000000000000322539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.548{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocrec.dll2023-01-27 11:22:58.548
11241100x8000000000000000322538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ocimport.dll2023-01-27 11:22:58.547
11241100x8000000000000000322537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcr110.dll2023-01-27 11:22:58.547
11241100x8000000000000000322536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msproof7.dll2023-01-27 11:22:58.547
11241100x8000000000000000322535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.547{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msvcp110.dll2023-01-27 11:22:58.547
11241100x8000000000000000322534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.546{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotelemetry.dll2023-01-27 11:22:58.546
11241100x8000000000000000322533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotdaddin.dll2023-01-27 11:22:58.545
11241100x8000000000000000322532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.545{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msotd.exe2023-01-27 11:22:58.545
11241100x8000000000000000322531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoianetutil.dll2023-01-27 11:22:58.544
11241100x8000000000000000322530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoia.exe2023-01-27 11:22:58.544
11241100x8000000000000000322529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoev.exe2023-01-27 11:22:58.544
11241100x8000000000000000322528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.544{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoetwres.dll2023-01-27 11:22:58.543
11241100x8000000000000000322527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.540{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoasb.exe2023-01-27 11:22:58.539
11241100x8000000000000000322526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msoadfsb.exe2023-01-27 11:22:58.539
11241100x8000000000000000322525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msix.dll2023-01-27 11:22:58.539
11241100x8000000000000000322524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.539{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\msfad.dll2023-01-27 11:22:58.538
11241100x8000000000000000322523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tkjp.dll2023-01-27 11:22:58.538
11241100x8000000000000000322522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7tk.dll2023-01-27 11:22:58.538
11241100x8000000000000000322521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mset7.dll2023-01-27 11:22:58.537
11241100x8000000000000000322520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.538{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\misc.exe2023-01-27 11:22:58.537
11241100x8000000000000000322519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.535{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\mce_office.dll2023-01-27 11:22:58.534
11241100x8000000000000000322518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconvpxy.dll2023-01-27 11:22:58.534
11241100x8000000000000000322517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.534{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lynchtmlconv.exe2023-01-27 11:22:58.533
11241100x8000000000000000322516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync99.exe2023-01-27 11:22:58.533
11241100x8000000000000000322515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\ssscreenvvs.dll2023-01-27 11:22:58.533
11241100x8000000000000000322514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\roottools.dll2023-01-27 11:22:58.533
11241100x8000000000000000322513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.532{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncModelProxy.dll2023-01-27 11:22:58.532
11241100x8000000000000000322512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lyncDesktopViewModel.dll2023-01-27 11:22:58.531
11241100x8000000000000000322511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\lync.exe2023-01-27 11:22:58.531
11241100x8000000000000000322510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnvpxy.dll2023-01-27 11:22:58.530
11241100x8000000000000000322509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\excelcnv.exe2023-01-27 11:22:58.529
11241100x8000000000000000322508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\csi.dll2023-01-27 11:22:58.527
11241100x8000000000000000322507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\atl110.dll2023-01-27 11:22:58.527
11241100x8000000000000000322506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\cpprestsdk.dll2023-01-27 11:22:58.526
11241100x8000000000000000322505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshvw.dll2023-01-27 11:22:58.526
11241100x8000000000000000322504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appshcom.dll2023-01-27 11:22:58.526
11241100x8000000000000000322503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\appsharingmediaprovider.dll2023-01-27 11:22:58.525
11241100x8000000000000000322502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLINTL32.COMMON.DLL2023-01-27 11:22:58.525
11241100x8000000000000000322501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLICONS.EXE2023-01-27 11:22:58.525
11241100x8000000000000000322500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\XLCALL32.DLL2023-01-27 11:22:58.524
11241100x8000000000000000322499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordconv.exe2023-01-27 11:22:58.523
11241100x8000000000000000322498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnvr.dll2023-01-27 11:22:58.523
11241100x8000000000000000322497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.523{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Host.dll2023-01-27 11:22:58.522
11241100x8000000000000000322496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.522{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Wordcnv.dll2023-01-27 11:22:58.484
11241100x8000000000000000322495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.481{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Win32MsgQueue.dll2023-01-27 11:22:58.481
11241100x8000000000000000322494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.480{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WebView2Loader.dll2023-01-27 11:22:58.480
11241100x8000000000000000322493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.479{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WINWORD.EXE2023-01-27 11:22:58.479
11241100x8000000000000000322492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WORDICON.EXE2023-01-27 11:22:58.472
11241100x8000000000000000322491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.472{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WWLIB.DLL2023-01-27 11:22:58.469
11241100x8000000000000000322490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.468{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\WEBSANDBOX.DLL2023-01-27 11:22:58.468
11241100x8000000000000000322489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.447{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VPREVIEW.EXE2023-01-27 11:22:58.416
11241100x8000000000000000322488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.444{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWER.DLL2023-01-27 11:22:58.444
11241100x8000000000000000322487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.428{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VVIEWDWG.DLL2023-01-27 11:22:58.428
11241100x8000000000000000322486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.407{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VISSHE.DLL2023-01-27 11:22:58.406
11241100x8000000000000000322485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.406{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UccApi.dll2023-01-27 11:22:58.406
11241100x8000000000000000322484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UcMapi.exe2023-01-27 11:22:58.397
11241100x8000000000000000322483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.397{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Uc.dll2023-01-27 11:22:58.396
11241100x8000000000000000322482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\TellMeRuntime.dll2023-01-27 11:22:58.396
11241100x8000000000000000322481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.396{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\URLREDIR.DLL2023-01-27 11:22:58.395
11241100x8000000000000000322480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SKYPESERVER.EXE2023-01-27 11:22:58.394
11241100x8000000000000000322479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.395{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\UCAddin.dll2023-01-27 11:22:58.395
11241100x8000000000000000322478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.394{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SkypeSrv\SFBAPPSDK.DLL2023-01-27 11:22:58.394
11241100x8000000000000000322477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.394{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SignalRClient.dll2023-01-27 11:22:58.392
11241100x8000000000000000322476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.393{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\STSLIST.DLL2023-01-27 11:22:58.391
11241100x8000000000000000322475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALPROVIDER.DLL2023-01-27 11:22:58.391
11241100x8000000000000000322474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOCIALCONNECTOR.DLL2023-01-27 11:22:58.391
11241100x8000000000000000322473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.391{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SOA.DLL2023-01-27 11:22:58.390
11241100x8000000000000000322472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SHAREPOINTPROVIDER.DLL2023-01-27 11:22:58.390
11241100x8000000000000000322471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SEQCHK10.DLL2023-01-27 11:22:58.390
11241100x8000000000000000322470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.390{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SETLANG.EXE2023-01-27 11:22:58.389
11241100x8000000000000000322469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.389{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SENDTO.DLL2023-01-27 11:22:58.389
11241100x8000000000000000322468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.389{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SELFCERT.EXE2023-01-27 11:22:58.388
11241100x8000000000000000322467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCRUNTIME140_APP.DLL2023-01-27 11:22:58.388
11241100x8000000000000000322466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\VCCORLIB140_APP.DLL2023-01-27 11:22:58.388
11241100x8000000000000000322465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.388{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelperBgt.exe2023-01-27 11:22:58.388
11241100x8000000000000000322464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SDXHelper.exe2023-01-27 11:22:58.387
11241100x8000000000000000322463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64C.DLL2023-01-27 11:22:58.387
11241100x8000000000000000322462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.387{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST64.DLL2023-01-27 11:22:58.387
11241100x8000000000000000322461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCNPST32.DLL2023-01-27 11:22:58.385
11241100x8000000000000000322460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SCANPST.EXE2023-01-27 11:22:58.385
11241100x8000000000000000322459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvras.dll2023-01-27 11:22:58.385
11241100x8000000000000000322458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.385{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmpal.dll2023-01-27 11:22:58.384
11241100x8000000000000000322457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\SAEXT.DLL2023-01-27 11:22:58.384
11241100x8000000000000000322456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmvrsplitter.dll2023-01-27 11:22:58.384
11241100x8000000000000000322455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.384{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmmediamanager.dll2023-01-27 11:22:58.383
23542300x8000000000000000322454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.382{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC71DE7AD1A9072FE5B89CA695CE339,SHA256=9E3A7456C35653FDCC29B8FD26D26626296204C94B0563AE3BE89EED67BAC432,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Rtmcodecs.dll2023-01-27 11:22:58.382
11241100x8000000000000000322452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTMPLTFM.dll2023-01-27 11:22:58.382
11241100x8000000000000000322451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.382{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RTC.DLL2023-01-27 11:22:58.381
11241100x8000000000000000322450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\REFEDIT.DLL2023-01-27 11:22:58.381
11241100x8000000000000000322449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\RECALL.DLL2023-01-27 11:22:58.381
11241100x8000000000000000322448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModelProxy.dll2023-01-27 11:22:58.381
11241100x8000000000000000322447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.381{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\Psom.dll2023-01-27 11:22:58.380
11241100x8000000000000000322446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUBTRAP.DLL2023-01-27 11:22:58.379
11241100x8000000000000000322445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PropertyModel.dll2023-01-27 11:22:58.379
11241100x8000000000000000322444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:58.379{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\Office16\PUB6INTL.COMMON.DLL2023-01-27 11:22:57.769
23542300x8000000000000000322443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.378{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD9A7151B04BA8D89EBF7DEA271F351,SHA256=13A2945213DC49BF919B3EA609AEFA08D4BEBF61FEFB084BDDCC464C9434228B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000322442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:56.515{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-212.us-east-2.compute.internal50978-false10.0.1.12-8000-
10341000x8000000000000000322441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.354{72106695-9B84-63D3-0B00-00000000BD02}6283928C:\Windows\system32\lsass.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B86-63D3-2E00-00000000BD02}29282948C:\Windows\system32\conhost.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0C00-00000000BD02}7322248C:\Windows\system32\svchost.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000322435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B84-63D3-0500-00000000BD02}412528C:\Windows\system32\csrss.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000322434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.268{72106695-9B85-63D3-1F00-00000000BD02}19803152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000322433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:58.114{72106695-B412-63D3-B903-00000000BD02}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{72106695-9B84-63D3-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000447528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.962{45AAC21C-9BAA-63D3-7B00-00000000BC02}3928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2302872C5C00159385BB2BC00D616E68,SHA256=94F0FA3E506275F125F0A897FD1C6CEEDCADA7949A81CB8BAEC4050086D7C41C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000322686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:59.812{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE4D21EE28888B75395BAAABF7F82F8,SHA256=67E3448C4C68C3FA347E94F4F2EC9333C1C126AE692131D310C3FD8DF41547BA,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\operfmon.exe2023-01-27 11:22:59.803
11241100x8000000000000000322684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.804{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll2023-01-27 11:22:59.803
11241100x8000000000000000322683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FDATE.DLL2023-01-27 11:22:59.803
11241100x8000000000000000322682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll2023-01-27 11:22:59.803
11241100x8000000000000000322681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll2023-01-27 11:22:59.802
11241100x8000000000000000322680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\offhud.dll2023-01-27 11:22:59.802
11241100x8000000000000000322679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.803{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSLID.DLL2023-01-27 11:22:59.802
11241100x8000000000000000322678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.802{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll2023-01-27 11:22:59.801
11241100x8000000000000000322677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowercrash.dll2023-01-27 11:22:59.801
11241100x8000000000000000322676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll2023-01-27 11:22:59.801
11241100x8000000000000000322675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mlg.dll2023-01-27 11:22:59.801
11241100x8000000000000000322674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aitrx.dll2023-01-27 11:22:59.801
11241100x8000000000000000322673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.801{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\aimgr.exe2023-01-27 11:22:59.801
11241100x8000000000000000322672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WISC30.DLL2023-01-27 11:22:59.534
11241100x8000000000000000322671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WXPNSE.DLL2023-01-27 11:22:59.534
11241100x8000000000000000322670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe2023-01-27 11:22:59.794
11241100x8000000000000000322669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.800{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.dll2023-01-27 11:22:59.794
23542300x8000000000000000322668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:22:59.794{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A009DA55755CA4F306A907D1B5C648F0,SHA256=4E4798186D503BD694217657BC60C3F55D8B94EC1261BCF6E4633E6B2C6A63D9,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000322667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.533{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL2023-01-27 11:22:59.533
11241100x8000000000000000322666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dll2023-01-27 11:22:59.531
11241100x8000000000000000322665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL2023-01-27 11:22:59.530
11241100x8000000000000000322664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.530{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL2023-01-27 11:22:59.530
11241100x8000000000000000322663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OFFREL.DLL2023-01-27 11:22:59.527
11241100x8000000000000000322662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL2023-01-27 11:22:59.527
11241100x8000000000000000322661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll2023-01-27 11:22:59.526
11241100x8000000000000000322660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll2023-01-27 11:22:59.525
11241100x8000000000000000322659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll2023-01-27 11:22:59.525
11241100x8000000000000000322658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll2023-01-27 11:22:59.525
11241100x8000000000000000322657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll2023-01-27 11:22:59.524
11241100x8000000000000000322656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.524{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL2023-01-27 11:22:59.274
11241100x8000000000000000322655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL2023-01-27 11:22:59.273
11241100x8000000000000000322654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL2023-01-27 11:22:59.273
11241100x8000000000000000322653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.273{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL2023-01-27 11:22:59.273
11241100x8000000000000000322652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.272{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE2023-01-27 11:22:59.272
10341000x8000000000000000447527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.606{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2700-00000000BC02}2584C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.583{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2600-00000000BC02}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.574{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2500-00000000BC02}2492C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.571{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B8F-63D3-2300-00000000BC02}2344C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.568{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1D00-00000000BC02}2112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.563{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B86-63D3-1700-00000000BC02}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.514{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1600-00000000BC02}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.497{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1500-00000000BC02}1256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.478{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1400-00000000BC02}928C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.470{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1300-00000000BC02}828C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.456{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1200-00000000BC02}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.443{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1100-00000000BC02}376C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.434{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-1000-00000000BC02}368C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.412{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0F00-00000000BC02}308C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.396{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0E00-00000000BC02}992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.376{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0D00-00000000BC02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.357{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B85-63D3-0C00-00000000BC02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.304{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0B00-00000000BC02}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:22:59.296{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B83-63D3-0900-00000000BC02}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
11241100x8000000000000000322651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.265{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSORES.DLL2023-01-27 11:22:59.265
11241100x8000000000000000322650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE2023-01-27 11:22:59.250
11241100x8000000000000000322649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLL2023-01-27 11:22:59.250
11241100x8000000000000000322648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO40UIRES.DLL2023-01-27 11:22:59.250
11241100x8000000000000000322647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.250{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL2023-01-27 11:22:59.250
11241100x8000000000000000322646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll2023-01-27 11:22:59.244
11241100x8000000000000000322645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM3.DLL2023-01-27 11:22:59.249
11241100x8000000000000000322644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll2023-01-27 11:22:59.245
11241100x8000000000000000322643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140_1.dll2023-01-27 11:22:59.248
11241100x8000000000000000322642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.249{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\IACOM2.DLL2023-01-27 11:22:59.244
11241100x8000000000000000322641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:22:59.239
11241100x8000000000000000322640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:22:59.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE2023-01-27 11:22:59.239
11241100x8000000000000000322639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.236{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:22:59.235
11241100x8000000000000000322638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.235{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:22:59.234
11241100x8000000000000000322637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModelv16\xmsrv_xl.dll2023-01-27 11:22:58.984
11241100x8000000000000000322636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.234{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:22:59.233
11241100x8000000000000000322635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:22:59.233{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:22:58.989
10341000x8000000000000000322893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.956{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B405-63D3-B203-00000000BD02}4756C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.939{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.933{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B402-63D3-B003-00000000BD02}3780C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.931{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3FE-63D3-AF03-00000000BD02}4452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.919{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B3F8-63D3-A903-00000000BD02}6048C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.909{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B110-63D3-3A03-00000000BD02}5004C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.898{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B10F-63D3-3903-00000000BD02}4876C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.895{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B107-63D3-2C03-00000000BD02}3396C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.867{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B106-63D3-2B03-00000000BD02}964C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
23542300x8000000000000000322884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.862{72106695-9B97-63D3-6D00-00000000BD02}3764NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11AFDA5B5E8CF425AB4C2AAF1307F52,SHA256=698DA1CBC0FDA7AC157B8BCD05571EE9C02137501F7FC4D632322492D4CB256F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000322883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.862{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-2103-00000000BD02}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.852{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B105-63D3-1E03-00000000BD02}2724C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.845{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B103-63D3-1503-00000000BD02}948C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.842{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-B102-63D3-1103-00000000BD02}3676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.839{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9C00-63D3-7B00-00000000BD02}2704C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.807{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B97-63D3-6D00-00000000BD02}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.800{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B90-63D3-6200-00000000BD02}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.798{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B88-63D3-4200-00000000BD02}2308C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.793{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3D00-00000000BD02}3004C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.792{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B87-63D3-3C00-00000000BD02}2824C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
11241100x8000000000000000322873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.791{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\mfc140.dll2023-01-27 11:23:00.791
10341000x8000000000000000322872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.791{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2E00-00000000BD02}2928C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
11241100x8000000000000000322871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\vccorlib140.dll2023-01-27 11:23:00.790
11241100x8000000000000000322870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\System\FM20.DLL2023-01-27 11:23:00.790
10341000x8000000000000000322869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.790{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2600-00000000BD02}2556C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
11241100x8000000000000000322868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.790{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140kor.dll2023-01-27 11:23:00.789
11241100x8000000000000000322867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_1.dll2023-01-27 11:23:00.789
11241100x8000000000000000322866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140.dll2023-01-27 11:23:00.789
11241100x8000000000000000322865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140u.dll2023-01-27 11:23:00.788
11241100x8000000000000000322864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.789{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfcm140.dll2023-01-27 11:23:00.788
11241100x8000000000000000322863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.788{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140u.dll2023-01-27 11:23:00.777
10341000x8000000000000000322862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.788{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B86-63D3-2300-00000000BD02}2404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.787{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-2100-00000000BD02}748C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
11241100x8000000000000000322860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_codecvt_ids.dll2023-01-27 11:23:00.777
11241100x8000000000000000322859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140rus.dll2023-01-27 11:23:00.777
11241100x8000000000000000322858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\msvcp140_2.dll2023-01-27 11:23:00.777
11241100x8000000000000000322857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140cht.dll2023-01-27 11:23:00.777
11241100x8000000000000000322856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140ita.dll2023-01-27 11:23:00.777
11241100x8000000000000000322855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140fra.dll2023-01-27 11:23:00.777
11241100x8000000000000000322854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140enu.dll2023-01-27 11:23:00.777
11241100x8000000000000000322853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140deu.dll2023-01-27 11:23:00.777
11241100x8000000000000000322852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140jpn.dll2023-01-27 11:23:00.777
11241100x8000000000000000322851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.777{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140chs.dll2023-01-27 11:23:00.532
10341000x8000000000000000322850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.668{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1F00-00000000BD02}1980C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.661{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1E00-00000000BD02}1924C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.655{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1D00-00000000BD02}1912C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.653{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1B00-00000000BD02}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.646{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1900-00000000BD02}1764C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.619{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1700-00000000BD02}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.617{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1600-00000000BD02}1216C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.608{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1500-00000000BD02}1040C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.534{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1400-00000000BD02}1032C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.532{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1300-00000000BD02}836C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
11241100x8000000000000000322840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.531{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140esn.dll2023-01-27 11:23:00.530
11241100x8000000000000000322839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.529{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\mfc140.dll2023-01-27 11:23:00.526
11241100x8000000000000000322838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.527{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll2023-01-27 11:23:00.526
11241100x8000000000000000322837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.526{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\SystemX86\concrt140.dll2023-01-27 11:23:00.526
11241100x8000000000000000322836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.525{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll2023-01-27 11:23:00.525
10341000x8000000000000000322835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.520{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1200-00000000BD02}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
11241100x8000000000000000322834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll2023-01-27 11:23:00.513
11241100x8000000000000000322833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll2023-01-27 11:23:00.513
11241100x8000000000000000322832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.513{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll2023-01-27 11:23:00.512
11241100x8000000000000000322831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.512{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL2023-01-27 11:23:00.511
11241100x8000000000000000322830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL2023-01-27 11:23:00.511
11241100x8000000000000000322829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL2023-01-27 11:23:00.511
11241100x8000000000000000322828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.511{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL2023-01-27 11:23:00.247
10341000x8000000000000000322827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.506{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1100-00000000BD02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.474{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-1000-00000000BD02}932C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.458{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0F00-00000000BD02}896C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.437{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0E00-00000000BD02}888C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.405{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B85-63D3-0D00-00000000BD02}796C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.373{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0C00-00000000BD02}732C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.352{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0B00-00000000BD02}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000322820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212-2023-01-27 11:23:00.340{72106695-9B85-63D3-2000-00000000BD02}20002932C:\Program Files\Aurora-Agent\aurora-agent.exe{72106695-9B84-63D3-0900-00000000BD02}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019258850)
10341000x8000000000000000447533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.295{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2D00-00000000BC02}2788C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.292{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2C00-00000000BC02}2776C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.288{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2B00-00000000BC02}2760C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.286{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2A00-00000000BC02}2608C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
10341000x8000000000000000447529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-460.attackrange.local-2023-01-27 11:23:00.284{45AAC21C-9B96-63D3-3000-00000000BC02}2848904C:\Program Files\Aurora-Agent\aurora-agent.exe{45AAC21C-9B96-63D3-2800-00000000BC02}2592C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A6DE190)
11241100x8000000000000000322819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.247{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\PPSLAX.DLL2023-01-27 11:23:00.247
11241100x8000000000000000322818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.247{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL2023-01-27 11:23:00.242
11241100x8000000000000000322817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.245{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL2023-01-27 11:23:00.242
11241100x8000000000000000322816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL2023-01-27 11:23:00.242
11241100x8000000000000000322815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.242{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFPROXY.DLL2023-01-27 11:23:00.241
11241100x8000000000000000322814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.241{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL2023-01-27 11:23:00.240
11241100x8000000000000000322813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.240{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIELinkedNotes.dll2023-01-27 11:23:00.240
11241100x8000000000000000322812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll2023-01-27 11:23:00.239
11241100x8000000000000000322811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL2023-01-27 11:23:00.239
11241100x8000000000000000322810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OSFROAMINGPROXY.DLL2023-01-27 11:23:00.239
11241100x8000000000000000322809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.239{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll2023-01-27 11:23:00.238
11241100x8000000000000000322808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL2023-01-27 11:23:00.238
11241100x8000000000000000322807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.238{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL2023-01-27 11:23:00.237
11241100x8000000000000000322806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.237{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL2023-01-27 11:23:00.211
11241100x8000000000000000322805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL2023-01-27 11:23:00.211
11241100x8000000000000000322804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.211{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll2023-01-27 11:23:00.210
11241100x8000000000000000322803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.210{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL2023-01-27 11:23:00.210
11241100x8000000000000000322802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.206{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE2023-01-27 11:23:00.206
11241100x8000000000000000322801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.205{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHEV.DLL2023-01-27 11:23:00.204
11241100x8000000000000000322800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.200{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL2023-01-27 11:23:00.200
11241100x8000000000000000322799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.200{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL2023-01-27 11:23:00.199
11241100x8000000000000000322798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.197{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL2023-01-27 11:23:00.197
11241100x8000000000000000322797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.196{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL2023-01-27 11:23:00.196
11241100x8000000000000000322796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\office.dll2023-01-27 11:23:00.184
11241100x8000000000000000322795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dll2023-01-27 11:23:00.184
11241100x8000000000000000322794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dll2023-01-27 11:23:00.184
11241100x8000000000000000322793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.184{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelAddIn.dll2023-01-27 11:23:00.182
11241100x8000000000000000322792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.Diagram.dll2023-01-27 11:23:00.181
11241100x8000000000000000322791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.dll2023-01-27 11:23:00.181
11241100x8000000000000000322790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.181{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe2023-01-27 11:23:00.180
11241100x8000000000000000322789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Excel.dll2023-01-27 11:23:00.180
11241100x8000000000000000322788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dll2023-01-27 11:23:00.180
11241100x8000000000000000322787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Office.Interop.Access.dao.dll2023-01-27 11:23:00.180
11241100x8000000000000000322786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.180{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE2023-01-27 11:23:00.179
11241100x8000000000000000322785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR120.DLL2023-01-27 11:23:00.179
11241100x8000000000000000322784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.179{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\NativeShim.Resources.dll2023-01-27 11:23:00.177
11241100x8000000000000000322783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.177{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Inquire.dll2023-01-27 11:23:00.176
11241100x8000000000000000322782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll2023-01-27 11:23:00.176
11241100x8000000000000000322781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.176{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll2023-01-27 11:23:00.176
11241100x8000000000000000322780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll2023-01-27 11:23:00.175
11241100x8000000000000000322779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseCore.dll2023-01-27 11:23:00.175
11241100x8000000000000000322778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.SqlDatabase.dll2023-01-27 11:23:00.175
11241100x8000000000000000322777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.175{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.PasswordManager.dll2023-01-27 11:23:00.174
11241100x8000000000000000322776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.MsoInterop.dll2023-01-27 11:23:00.174
11241100x8000000000000000322775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll2023-01-27 11:23:00.174
11241100x8000000000000000322774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.174{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ExcelServices.dll2023-01-27 11:23:00.173
11241100x8000000000000000322773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE2023-01-27 11:23:00.173
11241100x8000000000000000322772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe2023-01-27 11:23:00.173
11241100x8000000000000000322771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.173{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe2023-01-27 11:23:00.172
11241100x8000000000000000322770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.172{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe2023-01-27 11:23:00.168
11241100x8000000000000000322769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ClientConfiguration.dll2023-01-27 11:23:00.168
11241100x8000000000000000322768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.AuditItems.dll2023-01-27 11:23:00.168
11241100x8000000000000000322767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dll2023-01-27 11:23:00.168
11241100x8000000000000000322766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.168{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dll2023-01-27 11:23:00.167
11241100x8000000000000000322765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll2023-01-27 11:23:00.167
11241100x8000000000000000322764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe2023-01-27 11:23:00.164
11241100x8000000000000000322763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.167{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dll2023-01-27 11:23:00.164
11241100x8000000000000000322762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.162{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dll2023-01-27 11:23:00.160
11241100x8000000000000000322761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll2023-01-27 11:23:00.160
11241100x8000000000000000322760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-runtime-l1-1-0.dll2023-01-27 11:23:00.159
11241100x8000000000000000322759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dll2023-01-27 11:23:00.159
11241100x8000000000000000322758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.161{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll2023-01-27 11:23:00.159
11241100x8000000000000000322757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.160{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dll2023-01-27 11:23:00.159
11241100x8000000000000000322756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.160{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll2023-01-27 11:23:00.159
11241100x8000000000000000322755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dll2023-01-27 11:23:00.157
11241100x8000000000000000322754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll2023-01-27 11:23:00.157
11241100x8000000000000000322753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.157{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll2023-01-27 11:23:00.157
11241100x8000000000000000322752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingChromeHook.dll2023-01-27 11:23:00.155
11241100x8000000000000000322751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.155{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll2023-01-27 11:23:00.154
11241100x8000000000000000322750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.154{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll2023-01-27 11:23:00.153
11241100x8000000000000000322749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolap.dll2023-01-27 11:23:00.153
11241100x8000000000000000322748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.153{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll2023-01-27 11:23:00.153
11241100x8000000000000000322747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.151{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll2023-01-27 11:23:00.151
11241100x8000000000000000322746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.150{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll2023-01-27 11:23:00.149
11241100x8000000000000000322745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.149{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe2023-01-27 11:23:00.145
11241100x8000000000000000322744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.145{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll2023-01-27 11:23:00.145
11241100x8000000000000000322743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.145{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll2023-01-27 11:23:00.145
11241100x8000000000000000322742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.144{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dll2023-01-27 11:23:00.144
11241100x8000000000000000322741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.144{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll2023-01-27 11:23:00.143
11241100x8000000000000000322740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll2023-01-27 11:23:00.143
11241100x8000000000000000322739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll2023-01-27 11:23:00.142
11241100x8000000000000000322738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.143{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe2023-01-27 11:23:00.131
11241100x8000000000000000322737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.142{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll2023-01-27 11:23:00.131
11241100x8000000000000000322736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.142{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\adal.dll2023-01-27 11:23:00.131
11241100x8000000000000000322735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.131{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrwbin.dll2023-01-27 11:23:00.130
11241100x8000000000000000322734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.130{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll2023-01-27 11:23:00.130
11241100x8000000000000000322733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL2023-01-27 11:23:00.129
11241100x8000000000000000322732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll2023-01-27 11:23:00.128
11241100x8000000000000000322731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vcruntime140.dll2023-01-27 11:23:00.128
11241100x8000000000000000322730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL2023-01-27 11:23:00.128
11241100x8000000000000000322729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.129{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dll2023-01-27 11:23:00.120
11241100x8000000000000000322728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vccorlib140.dll2023-01-27 11:23:00.127
11241100x8000000000000000322727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.128{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ucrtbase.dll2023-01-27 11:23:00.128
11241100x8000000000000000322726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.120{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mfc140u.dll2023-01-27 11:23:00.120
11241100x8000000000000000322725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll2023-01-27 11:23:00.118
11241100x8000000000000000322724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.118{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll2023-01-27 11:23:00.118
11241100x8000000000000000322723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.117{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\mlg.dll2023-01-27 11:23:00.117
11241100x8000000000000000322722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aimgr.exe2023-01-27 11:23:00.115
11241100x8000000000000000322721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.exe2023-01-27 11:23:00.115
11241100x8000000000000000322720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.116{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\aitrx.dll2023-01-27 11:23:00.115
11241100x8000000000000000322719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ai.dll2023-01-27 11:23:00.110
11241100x8000000000000000322718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.110{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dll2023-01-27 11:23:00.110
11241100x8000000000000000322717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll2023-01-27 11:23:00.094
11241100x8000000000000000322716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll2023-01-27 11:23:00.094
11241100x8000000000000000322715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll2023-01-27 11:23:00.094
11241100x8000000000000000322714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.094{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll2023-01-27 11:23:00.094
11241100x8000000000000000322713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll2023-01-27 11:23:00.092
11241100x8000000000000000322712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.092{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL2023-01-27 11:23:00.092
11241100x8000000000000000322711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.091{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSORES.DLL2023-01-27 11:23:00.091
11241100x8000000000000000322710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO99LRES.DLL2023-01-27 11:23:00.090
11241100x8000000000000000322709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO40UIRES.DLL2023-01-27 11:23:00.090
11241100x8000000000000000322708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.090{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSO.DLL2023-01-27 11:23:00.089
11241100x8000000000000000322707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll2023-01-27 11:23:00.089
11241100x8000000000000000322706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.089{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL2023-01-27 11:23:00.068
11241100x8000000000000000322705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrw.dll2023-01-27 11:23:00.068
11241100x8000000000000000322704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.069{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll2023-01-27 11:23:00.068
11241100x8000000000000000322703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.068{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL2023-01-27 11:23:00.068
11241100x8000000000000000322702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL2023-01-27 11:23:00.065
11241100x8000000000000000322701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL2023-01-27 11:23:00.065
11241100x8000000000000000322700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.065{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL2023-01-27 11:23:00.064
11241100x8000000000000000322699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL2023-01-27 11:23:00.064
11241100x8000000000000000322698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL2023-01-27 11:23:00.064
11241100x8000000000000000322697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL2023-01-27 11:23:00.064
11241100x8000000000000000322696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\MSCONV97.DLL2023-01-27 11:23:00.063
11241100x8000000000000000322695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.064{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CORE.DLL2023-01-27 11:23:00.063
11241100x8000000000000000322694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE2023-01-27 11:23:00.063
11241100x8000000000000000322693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212EXE2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe2023-01-27 11:23:00.062
11241100x8000000000000000322692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.063{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MOFL.DLL2023-01-27 11:23:00.062
11241100x8000000000000000322691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.DLL2023-01-27 11:23:00.062
11241100x8000000000000000322690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IMCONTACT.DLL2023-01-27 11:23:00.062
11241100x8000000000000000322689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.062{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\IETAG.DLL2023-01-27 11:23:00.061
11241100x8000000000000000322688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLL2023-01-27 11:23:00.061
11241100x8000000000000000322687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-212DLL2023-01-27 11:23:00.061{72106695-B403-63D3-B103-00000000BD02}6092C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\549B28D0-2AAB-4007-AF73-46E58ABB894E\root\vfs\ProgramFilesCommonX64\Mi