23542300x800000000000000044967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.769{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE37C.tmpMD5=8473AC8F0011BB56B0BB1899E5CF15E8,SHA256=56F8C768C83464654B8F3762509362CC87ABAF960A3AF30CF697DD3F5CB1DC08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.753{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE36C.tmpMD5=6028F2CD4EC2DAEF804C5354E38EF977,SHA256=88CBEBC76ABBA370B1985EFB0DD2EC86961E4C883CD7CC6457561940C7BF92A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.738{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE36B.tmpMD5=AE6FBDED57F9F7D048B95468DDEE47CA,SHA256=D3C9D1FF7B54B653C6A1125CAC49F52070338A2DD271817BBA8853E99C0F33A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.738{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE36A.tmpMD5=2A8875D2AF46255DB8324AAD9687D0B7,SHA256=54097CCCAE0CFCE5608466BA5A5CA2A3DFEAC536964EEC532540F3B837F5A7C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.738{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE359.tmpMD5=9B7427A803C8856E0EF56A5D14624310,SHA256=AC6C321EFE3016F8716731482C852C07431C384BCA190B23252AA424752D5BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE358.tmpMD5=D192F7C343602D02E3E020807707006E,SHA256=BB4D233C90BDBEE6EF83E40BFF1149EA884EFA790B3BEF496164DF6F90297C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE357.tmpMD5=2DD3F3C33E7100EC0D4DBBCA9774B044,SHA256=5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE356.tmpMD5=635E15CB045FF4CF0E6A31C827225767,SHA256=67219E5AD98A31E8FA8593323CD2024C1CA54D65985D895E8830AE356C7BDF1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE355.tmpMD5=2D84AD5CFDF57BD4E3656BCFD9A864EA,SHA256=D241584A3FD4A91976FAFD5EC427E88F6E60998954DEC39E388AF88316AF3552,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE354.tmpMD5=379523B9F5D5B954E719B664846DBF8F,SHA256=3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE353.tmpMD5=5F243BF7CC0A348B6D31460A91173E71,SHA256=1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE352.tmpMD5=FC94FE7BD3975E75CEFAD79F5908F7B3,SHA256=EE1ED3B49720B22D5FDA63D3C46D62A96CA8838C76AB2D2F580B1E7745521AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE351.tmpMD5=DB7C049E5E4E336D76D5A744C28C54C8,SHA256=E8830E7AC4088CF3DD464CAEC33A0035D966A7DE5AE4EFC3580D59A41916FF7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.722{DAC7F284-9B82-63CF-1301-00000000B102}2884ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmE350.tmpMD5=F732BF1006B6529CFFBA2B9F50C4B07F,SHA256=77739084A27CB320F208AC1927D3D9C3CAC42748DBDF6229684EF18352D95067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:47.347{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542A80E19B1B27B92AC08AB3195D0A69,SHA256=91889CC56A52979E924D9A0055FF274B6EB9C638A7F14BD5F52297F5C2B215FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:48.018{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9818EAD88BD49E62A8AA9176900931A,SHA256=DBB5119390054F423665DCF4A55F9892037CA216B14A075BD1839EEA43AF4DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:48.452{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1867562975624D5BF738E3E799C208E,SHA256=B631FDE048C2FF272C792E76F4BA476C7F6B575C728E44093A0903C1F961B5D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:49.098{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C78728C1ED334B8F475AE14DBBDEA94,SHA256=F8BE36BA318C1C8518F740B8303EF5DE3B0C5DB2982C74324ADD0BA5FB0893F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:46.085{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000044972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.963{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.963{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.963{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:49.540{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4779972C98D77A52B4E838E78E192E64,SHA256=57B3B1C437CE22607890AA4F9A22F5799C5B54F1A364CC1B9DFDDB85B00D4A0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:50.185{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8519817F395163A3210B633530C293B0,SHA256=21BA8DA48C7AA2078034A7FB35BCD00893016746D2A3792374E45B5E468D5872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:50.630{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951F612E74D1E65571743A47A24DAC3F,SHA256=F9BA2F164BC2AE828CFBF82054AF723B5915080CD59D970944C7A23D962BE334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:51.279{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5500D97F65CFA8D281CC53DBF175E14D,SHA256=0F2E9A7C3C343D3664776C3E16C2F19F75E9F62B2A96496004546772724B7663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:51.710{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB11D391D54FB2F42A38B3DE23E00DE2,SHA256=4639C33611DF3F8D6AA834911FA1A1F3D8783D078C4807AFBC81E92B7A93C61A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:48.817{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:52.572{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D27A2B68459EB25D0543FCE8E2AED46,SHA256=C2AF9C0093701B0E65C35CFFC545942D0568AE7F6D8E3A5700485E9D2C7D56DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:52.364{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFBABA8285216292FEAA0B166590254,SHA256=02C3B109D3D612904B38070F14DB4AD16EB5DFDAC5E06AF425776DDDE1131D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:52.799{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B55AFA8C118467DC5BD677E3D2C444,SHA256=C1AC879640A5C12102B9410156E425ABE068983E9CC445C0D21A8BF54EA77279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:52.090{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:53.438{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380397158702DA80FDA8F23B250602F2,SHA256=992FCDECF04B8FFCBC5702E0C1575846E0F23747333B5031CF403068C846D954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.967{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.967{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.967{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:53.888{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDAB4B45127B384E60F0135472A749D,SHA256=435A99BFD017D76F5DFD0E204FB239812CBB84164B35AA9D07A59CF873D64776,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.731{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.725{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.722{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.720{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.718{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.715{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.711{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.708{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.706{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.704{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.687{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.675{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.667{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.659{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.653{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.635{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.627{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.593{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.573{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.567{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.559{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.551{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x800000000000000019881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.528{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6352EB615C30A2F32CBDB44881BDC4C4,SHA256=4E55AF611D176E2EAC27E2AF2548C260E7841BCF15A3393F86EBE8048A1BE0A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.482{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.471{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.458{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.447{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.439{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 23542300x800000000000000044982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:54.970{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75531FA88AFE540AEE51C18FD8915F57,SHA256=4500413FBD36A79ECB41D3E2297AB7D47321D7151BB08E80DE9BA76AF6F4151A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.428{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.421{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 10341000x800000000000000019873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:54.416{2EF863A9-992B-63CF-2100-00000000B202}15002836C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012B80190) 13241300x800000000000000044981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-SetValue2023-01-24 08:49:54.196{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92fd0-0xd41495fe) 23542300x800000000000000019904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:55.880{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAD3A4F2ADC809F8B6B8D02BE94D550,SHA256=D43972F687EE31CCA2F659E4A080A7032E3A511E64AA5F95ED26CF333A9BA4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:56.917{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58ED12B2B3FC3D4684535D197034601,SHA256=78CEF82E0ABF902AC3479AB98BD5072F99E02BAC817CAC3E3B3442C71454F801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.925{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.925{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:54.610{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000044983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.049{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA9883A123D29C4302027EAED658BAF,SHA256=E6B5A20A8ACF0A3DEE369E9AD6B83A51702E5B14C34733693C5C3A865E3C28C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000044993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\Office16\sdxs\FA000000063\index.win32.bundle.tpn.txt2023-01-24 08:49:57.906 11241100x800000000000000044992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\Office16\sdxs\FA000000062\index.win32.bundle.LICENSE.txt2023-01-24 08:49:57.906 11241100x800000000000000044991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll2023-01-24 08:49:57.906 11241100x800000000000000044990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll2023-01-24 08:49:57.906 11241100x800000000000000044989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll2023-01-24 08:49:57.906 11241100x800000000000000044988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.localDLL2023-01-24 08:49:57.906{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\Updates\Download\PackageFiles\A23355E6-D6F1-4C84-AEDB-612CEF15BA37\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll2023-01-24 08:49:57.891 23542300x800000000000000044987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:57.141{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0961C6C630DD296A491497BC16CE080E,SHA256=5594145C931B09272D12E117E8508D47409F512A14B7C7C4B37AE80B62ABD4B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:58.003{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86E57E25B56C886E8FB09886610DDAE,SHA256=9421152F5199991D62B903732803A4FAF741E091187DA5A6033D531A1AC9070D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:56.166{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60718-false8.240.208.252-80http 23542300x800000000000000044994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:58.236{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C278F780865DBD32B05C3D59B99D5E,SHA256=D298C5B06896EA2F7D36AE5E44E5422AA04BC259F6690B3E8EC6C2703ED7841E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:59.078{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD77B85E3FC8F170AAD6A2C443A3C43C,SHA256=011E598F60D07110CA8ED400F4077BC9339C6F62A64CD553F17FB488CCF2B11F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:59.465{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:59.325{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837E935E8DE8569C0F387F24CFB42BE3,SHA256=780271550980B45DD6622DA883719D57AB46A2D9AD4D279D84769E25EBE21724,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:49:57.151{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49826-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:00.166{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC9FAAF79BBEEC416B661958AC70829,SHA256=0D9F44CEF9B1EF1E7EAEA42105F54565A5945B985D519722E82B6061DCE13C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:58.075{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local55711- 23542300x800000000000000044998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:00.428{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67916A260B6AE0FD7E25F74E0E64F258,SHA256=583F4CF328DAADD15E19DA49AEA3B7BE35104EB0167F8FD99E19398AA4A14099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:01.270{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8506954FE7D14B22C5B9CAA6895278,SHA256=0E56FF8F83991C61671397E511322F98ECA57970EC0B9755FD070C174B7F429C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:49:59.782{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:01.517{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E278248D9C19A10EFF669DF70D35B26C,SHA256=481C34D8A0FB06C78C52175012274D73AC0245067E4CDA91EEB7C8A3371DB1C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:02.379{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B82A34468930267DDEE13C527EE2B2E,SHA256=839C3D047364692EEB19187E77A95242420A69825AEAC31362A66F45920CC3E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.876{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.872{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.869{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.866{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.861{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.855{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.852{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.840{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.833{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.831{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.829{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.827{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.793{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.787{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.773{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.763{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.758{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.748{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.737{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.727{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.720{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.706{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.696{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.651{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.648{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.605{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F337DDA22A7FE7E99EA6870BCEE7F2EC,SHA256=D8073BA5A8D5CFE0B50065D0E4A04AAA6FFDED8499D563B2A370269B603414ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:02.434{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:03.455{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFDE161482F5D7FD471FB34C31AC655,SHA256=8CC952FF383537D1681CFC759F812206D7EB532740FC27CF16BADD46F7880607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:03.640{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840C9E061B79F5E8F248096DBE535582,SHA256=1DF04571D322747238C676EC491265BC40602D77352A2C8B8853268DE686F3BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:03.352{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000019914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:04.550{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BEF25721E00FD79F0199F65374062D,SHA256=9C8387ED3D4D84F2DECA7C17DF9A493583A140927843E2B88A704EFFF215144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:04.736{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9737E834E003F124BEB4B2AEE871A337,SHA256=6A69C78EB8DB0EB2C8C1B5C027923FE5970A822085D6022F5122357793EB6DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:02.156{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:05.633{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38597670FC4046FEFB79199C490D41B1,SHA256=528BDFC555C6B02C65309BF276B6D5C40EC7FD2DE0A739B262049B98563D9021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.989{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.967{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.943{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.936{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.928{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A300-00000000B102}4440C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.922{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-A000-00000000B102}3300C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.920{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-9E00-00000000B102}3168C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.917{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99B3-63CF-8900-00000000B102}3616C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.914{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-994B-63CF-7B00-00000000B102}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.910{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.904{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4A00-00000000B102}3836C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.902{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4500-00000000B102}3660C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.900{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4400-00000000B102}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.898{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993A-63CF-3800-00000000B102}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.801{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0234A98CB9E053EC05A01218EF8471,SHA256=295E7BE9DB312282AF77589307184BBD5E7923B5D023B02D815FCEFA3BF47F7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.381{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3300-00000000B102}2304C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.378{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3100-00000000B102}2968C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:05.304{DAC7F284-9928-63CF-1100-00000000B102}388NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:06.913{2EF863A9-992A-63CF-1200-00000000B202}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A58B6331966122A5DA5388A46BEA593,SHA256=8917A0B596B3E9A1946F646EB9276F346232927D6132BA6E6EE22C71C745BB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:06.710{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA020EB09E7CA62B8EF3C3E4EC4BBDC,SHA256=C7A19796E793F6B6826535C934B83700AAD24F32CA94CEA90F978B4DC71B5A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.969{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.905{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0AC2088B08548D039DEE6005C21877,SHA256=BB9880BC097D0DFD2D75BA7EA340F3DB54AD02B747B467AE36FA40406BCE01C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.780{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2DAE764B7857458B8B8F06999EC72C8,SHA256=026BFBCBC6C23012802FFD47574074E08AC689054A1BF82209615FB00651E7DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.218{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CC5354446CCCFB00FF4539420291F6,SHA256=4F7194823DE43218636E2C47C8AF1766BF89B64DE4CCCD4A5B4FAAA13ADD9736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.073{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.071{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.046{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.028{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.015{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.014{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 10341000x800000000000000045052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.013{DAC7F284-9928-63CF-0D00-00000000B102}888908C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:06.006{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000019918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:07.793{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86485EC63291FBF5778A7DB24B0601F,SHA256=24266D2D00BD3FB5208B6D1A8D09D86508EC831438E4D9566F3B130C5C70D283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:07.989{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC26715B6A3E854391E42CCC362258F,SHA256=65619DE5AAAFB196F78790635A69858AE93553FDB26BB27ED72A25705640796C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:08.865{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4DCB709B8FED65C0E90D074D26456B,SHA256=236D8540C3E78FCA57C1962DCA3880F83B8DB284E33CA111B02B218458215121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:08.698{2EF863A9-992A-63CF-1100-00000000B202}936NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFa32f6.TMPMD5=E2CB32500431EF942111E447480ABD2D,SHA256=1981A2DA03F21A75184C52356779EC843CAB7AE59023CCB41579A0985DC1AA1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:04.783{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.939{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93311406D3DE9DE7518E626B247EA3E,SHA256=8E19758A77DA9357AEF33EB18F0FBD186B5232F21BC923265B49FFC13951AE74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.712{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.710{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.702{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.702{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.702{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.701{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.698{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000019923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.698{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 23542300x800000000000000019922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:09.557{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F2FD07B3B6364E8DE19A1EA2D95ED3B4,SHA256=0525B8C2BFDBD1B8CAE84FB3345B91F1FFE63EC31C00AF3C9AC6A71740F13296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:08.121{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.906{DAC7F284-9926-63CF-0B00-00000000B102}612828C:\Windows\system32\lsass.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.906{DAC7F284-9926-63CF-0B00-00000000B102}612748C:\Windows\system32\lsass.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.593{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.593{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.078{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9E59557EF6AA9A6A6D3ADC6A96980E,SHA256=31321AC60277B6448E2B0BA6BB4943972AA0BE27BE6F308500DFE5F2E3F01503,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000045101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-SetValue2023-01-24 08:50:10.195{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92fd0-0xdd9df250) 23542300x800000000000000045100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:10.164{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63926572F765CEB149F5C4C52F7D41BA,SHA256=88236EAC568535CDBBCD8B1FBBBFF57A4DEDC278B180B011EBF59AA45918E4F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:10.023{DAC7F284-9926-63CF-0B00-00000000B102}612828C:\Windows\system32\lsass.exe{DAC7F284-9924-63CF-0100-00000000B102}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000019935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:11.010{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B10CAB210C9EC294EF07E790335F5FF,SHA256=B4150AD9C4E44D6DE725656350CCF6D58F6CD5D8B48D1CB5FAFE12D54B78C404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:11.253{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A664270868200A5FB2F28C37B72F10,SHA256=1BD313D0E01AD19EC60CFBEB8A0FAB01747FAAC4DEA855E40483525D691E6CC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.489{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60722-false10.0.1.14win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.489{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60722-false10.0.1.14win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.482{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60721-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.482{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60721-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local389ldap 23542300x800000000000000045102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:11.003{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56A5B27E36919D654FCF2FD50A0BA52B,SHA256=232A8E175E7AE00C1701621406F613F82A4F5FA6160875600316422F760428EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:12.095{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE3AB8CFFDE527F24AF0DC8583C02EE,SHA256=C250237B63083DB8FDE82546D926F78F03DA133F0980E966F4ADC30633AA1C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:12.342{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB421357749C97EA1D6D01F42AA218A,SHA256=3DD5804FC8C642E9A519BD31CFDA776AECF07F2776725F62B581880767C56CC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.783{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000045109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.599{DAC7F284-9924-63CF-0100-00000000B102}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60723-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local445microsoft-ds 354300x800000000000000045108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:09.599{DAC7F284-9924-63CF-0100-00000000B102}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local60723-truefe80:0:0:0:d9d:ebef:a2e9:a548win-dc-ctus-attack-range-759.attackrange.local445microsoft-ds 13241300x800000000000000019947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000019946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000a470a) 13241300x800000000000000019945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92fc8-0x7dff237f) 13241300x800000000000000019944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92fd0-0xdfc38b7f) 13241300x800000000000000019943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92fd9-0x4187f37f) 13241300x800000000000000019942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000019941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000a470a) 13241300x800000000000000019940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92fc8-0x7dff237f) 13241300x800000000000000019939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92fd0-0xdfc38b7f) 13241300x800000000000000019938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:50:13.828{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92fd9-0x4187f37f) 23542300x800000000000000019937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:13.273{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C692C92DC934809ED8402E2722D60A4,SHA256=4DB0CDDA8820007C622A6B134C4E121920988EC1E4F61263FE413CF2A8537DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:13.412{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F499687719333F459054B394D6D40B74,SHA256=0D659EEED19D2736F714A06805EF0F3C7315351AECC9A728110126A11B7A670A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.869{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.856{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.840{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.835{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.833{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.822{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.820{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.819{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.807{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.804{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.787{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.779{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.767{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.751{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.744{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.689{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.686{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.645{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.623{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.610{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.594{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.575{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.476{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.458{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.456{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.448{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.448{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.447{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.445{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000019949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.431{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000019948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.360{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696A57335A3E75E08B1F097A8B23C097,SHA256=C2CAC386A4617F749667830E4220DE1EDC80EAD287846584CDBD407ECC9424EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:14.491{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D8CBEF7737CB0320ECC119E4A3C4B8,SHA256=737DD39CD5A240EA9C15FB793D3A788ACDA050FE578EC9681C537314C7AB1ABD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:14.135{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:15.733{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5976CFDC5E8D84F08928C6BBC82676EC,SHA256=42165B69A82CB01B250ED41FC6F92132123E04852698CAC83990A870DCA91B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:15.562{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D908B6175037AD974F32E926F174BED5,SHA256=31C707AC40C464AADB1E5177D59587654288753CE962E4B7C846155CEAB79A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:16.848{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E9D5D312645C2F01B50A0B189DCDA9,SHA256=BFA40145E0C6B38DF9209E3782DA838E6DE1F583E330C3C5CAD5C0E6CD5C663A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:16.662{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C724C9AEE149E902B844BFE72344181,SHA256=E81007265C1689E5BA1F26306517CFA389BDE7F4EFEAD77FA26E6EDB9DEAE711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:17.936{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5B7B9E24474527259D558E6E22B3F5,SHA256=BA2D7DBA1A7449374735E618F70ECD8EB4D0909B6227D1AE8E2951F1A68DD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:17.750{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F706B18A804CBA9E2DCC2D8F0F75D0A3,SHA256=F3554DD126D68051F591949F27BB6A7FC9E75D6631523318EB06B33B2D5EB8A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:17.633{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2100-00000000B202}1500C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:17.278{2EF863A9-992B-63CF-1600-00000000B202}12241492C:\Windows\System32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:15.656{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:18.839{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9729816383C07C885CDB383B44222,SHA256=1D3C1D67FF3002B1D9311A99A2EE4AC866F3957A6C93C4258E1269750D6065A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:19.230{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=AE88A13122C673039350C40B1B0E041E,SHA256=C1D055B3D58F80FC67E610F8F62395FDA9A09F824F12140CE137C7034EA20408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:19.027{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C027AE1F5FDB2D757BC88C1120A3968,SHA256=747B0649ACCCE5DDD6910FC970DC5D49B173B5823EE3DC8FE24102226B2648D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:19.928{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACCECBAB0882AE191066BB38337A1F,SHA256=C87B45E5A6DE9D4D0E2F42F03E7FA673D04875BAA923D38EEA29AB2E637F6BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:19.214{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000019990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.922{2EF863A9-9B8C-63CF-E500-00000000B202}3496NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.922{2EF863A9-9B8C-63CF-E500-00000000B202}3496NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.912{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDACBE7C87E9C8E5A85902CA6395AAAD,SHA256=DA31DE7A82B79DA4DB7D585721684C3B061E08414D7FCAAA983645E0E178BC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.212{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5498DB595A01420D4A96E586FF511605,SHA256=CCA8B2FCCF2A5F982AD660DE6BF6AF27E229A69F7C87BE59F16218EA3FCF859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:20.228{DAC7F284-9939-63CF-2D00-00000000B102}2668NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.360{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.361{2EF863A9-9BCD-63CF-ED00-00000000B202}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.297{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D81CA2C2B5FC8CF58F54168B1018627,SHA256=E05897FDDD53F7BDC1EDCB1D7BAA3A0AF3D5C560F8ECD1078CB569051BBF764A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:21.833{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F48E0F3C6CBCCC7DE60C972E591F6C9,SHA256=ABF8A0B6BE4234BB3D37E7800559BB86B7B05DEA6B2F3C47BFD22596A0960C8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:21.020{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD50CF70C5EB7990A795BDD746181DDB,SHA256=F5253CE76D349BB4CF2E7418CAE134F668AF130041DC294CEA61E7DB7F6F68BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.095{2EF863A9-9B8C-63CF-E500-00000000B202}3496NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=A51F41036AB5C59544D5A46A72C81F30,SHA256=38D874FC237D5C9DBC01A1811463713D75C0661B4456E9BECEFD1E5C2EA54728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:21.000{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1F879A20972B7AE7E6913D66DFE1B402,SHA256=29B10739BD7023F926E459D95E30BF9EF9023216AEFADFB53CE35662EBBCB6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.971{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.972{2EF863A9-9BCE-63CF-EF00-00000000B202}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.722{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AA474107658A69ECCF495FCEFD9642D8,SHA256=8A93E757BEF042AD05E48EFFF990BDAE948101656E9DD60415A970496389A26B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.581{2EF863A9-9BCE-63CF-EE00-00000000B202}40523652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.461{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B4FB7BAA38DF434A37DAA37963C16C8,SHA256=022E354D2085E777B6756689805ABF21276FCD3A3F9A70942C0702DA99D2915B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.461{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DD59D3B813616A2E192A0CB9D3D8D5,SHA256=8A5EDDB98C120E9779F17A460BD587DE599E60F3F0FC2DF6BDACA0E1D899C6DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.854{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.852{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.849{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.845{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.839{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.834{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.832{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.824{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.819{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.816{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.814{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.810{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.779{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.773{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.761{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.754{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.750{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.742{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.731{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.721{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.713{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.702{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.695{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.654{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.652{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000045124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:19.800{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000045123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:22.109{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F4C0A2C9A912E6E89B40AB80D50DF9,SHA256=46681B5794DD4EB741A77741D2A2232D2D9926C6B258903986CFB641EF319652,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.294{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:22.295{2EF863A9-9BCE-63CF-EE00-00000000B202}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:20.086{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49831-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:23.585{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A12FA34849640FD3579F6DD169E0AE,SHA256=966EA6438EB9E9B54629FC8D8382D079199FAB8FF36EE55E6EA844DFF7E22CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:20.811{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:23.228{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000045150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:23.160{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9933B6B94A48F13B261E8DC02699A948,SHA256=097934525F136542FBB83DECC5B77C90113F9741EA41DB07BE917BA49308BB64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.647{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9969A3A2F3EBBCE6150E367090D274C1,SHA256=9C14F6CDA3CA8EA3539B73EBB9F36F96E91D39800201E8BCF0DCCC5E650ED40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:24.238{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651EC01F96D9C8976A167B07C0927025,SHA256=1596AB3CE5FF5063272F9F058B0D77481AE2AC36B80AD6349E19EBDD4D4B7405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.522{2EF863A9-9BD0-63CF-F000-00000000B202}38082252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.166{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.160{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:24.159{2EF863A9-9BD0-63CF-F000-00000000B202}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.735{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4EB8CFB20285A26F02C7DB07C4DE34,SHA256=80A5B58DF6B865140C128C8D2A07403F3F4890BADBAACF509202581881F94E9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.626{2EF863A9-9BD1-63CF-F100-00000000B202}1083644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.241{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.242{2EF863A9-9BD1-63CF-F100-00000000B202}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.187{2EF863A9-992B-63CF-1C00-00000000B202}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a783e9299deb56f2\channels\health\respondent-20230124083909-010MD5=1AFBE5C623DD312030DBC0B522348F1B,SHA256=0F8D0E9DDBDC43E9A6E6678369B74D4C31FA056674B43C5D9776F07421F3C22E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.934{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.933{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.921{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.908{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.900{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.892{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.877{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.862{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.830{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.819{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.809{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A300-00000000B102}4440C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.803{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-A000-00000000B102}3300C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.802{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-9E00-00000000B102}3168C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.798{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99B3-63CF-8900-00000000B102}3616C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.794{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-994B-63CF-7B00-00000000B102}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.792{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.788{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4A00-00000000B102}3836C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.787{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4500-00000000B102}3660C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.784{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4400-00000000B102}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.783{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993A-63CF-3800-00000000B102}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 23542300x800000000000000045156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.314{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5513C2C79BEB4780CC05A20C6D84F9,SHA256=8CFFE7FB807366BD6EA743E5DDC70F83F764A659D58A7B56C197157641E5770E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.277{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3300-00000000B102}2304C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 10341000x800000000000000045154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:25.276{DAC7F284-99FF-63CF-B900-00000000B102}58085964C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3100-00000000B102}2968C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000131803D0) 354300x800000000000000020087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:25.150{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.808{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68D21786B1EA22190217FEF1751232D,SHA256=B6B408748EB547947FADB7491C97104F267B5C6D6B56663D081901BD81C83AD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.405{2EF863A9-9BD2-63CF-F200-00000000B202}40484080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.197{2EF863A9-992B-63CF-1C00-00000000B202}1908NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a783e9299deb56f2\channels\health\surveyor-20230124083907-011MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.114{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:26.115{2EF863A9-9BD2-63CF-F200-00000000B202}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:26.383{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87DE9448098A9BF2C20866C5F780774,SHA256=B7F898FC8288EF2C8BBBA489D94F0252B60C753F3D7E8CC9A0BF54AC26491FE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.867{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F532541D671CF1875E415466ECBC95F,SHA256=BDE94D5E855D096D5B042833CD04D657DBF9ADBDE417533E574DA0CDADF30F4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992C-63CF-2B00-00000000B202}28722892C:\Windows\system32\conhost.exe{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.742{2EF863A9-992B-63CF-1E00-00000000B202}19923140C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:27.743{2EF863A9-9BD3-63CF-F300-00000000B202}2236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.878{DAC7F284-9928-63CF-1600-00000000B102}12961396C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.878{DAC7F284-9928-63CF-1600-00000000B102}12961348C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-9928-63CF-0C00-00000000B102}832864C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-99F3-63CF-9D00-00000000B102}3420844C:\Windows\system32\csrss.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.864{DAC7F284-9928-63CF-0C00-00000000B102}832864C:\Windows\system32\svchost.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.784{DAC7F284-9928-63CF-1400-00000000B102}10682036C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:27.472{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF40D0F366E0AF69008669FCCEA9DEC6,SHA256=A3CC8BE309621DCAFFBD703F08C1C4B64C10799B0CFD4187D2BDFF0773159EDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:28.951{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755B49DA3EBF507397A04C7C24C2A3F7,SHA256=C1407B1C8951152F295671991E47E5F3C9E3938FC9715DA5EA2F6EBB56583F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:28.911{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B929EF2ABFE08040A8E8C33CD56C0056,SHA256=9175506521C0136EDE0523170740A8F1D3E0F2A6292F099F5778506C2F6310CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:28.976{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FBACC4B7BA85A5B15FC5AAE9CA78B41,SHA256=B92CB2FA787F9FC118E42BB8758EE21901C3C14ACD8D505265760DEAED4395A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:28.560{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4383E542CAD05A4432F09F239B11C26,SHA256=6C02A8CC8267093823F23515B1C59B351CC2DAE7895B3920DA3BAB561AAA2B33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:26.621{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.929{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.929{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.929{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD3-63CF-2801-00000000B102}2176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000045189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:29.648{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDC7E48C5D48A2FFDC237056F82851D,SHA256=C304F28C88E411BE50D478FA20E63DD241D645F70081BB0E2E25EBF5E7DF7F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:30.043{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16BB4F03691409D569B706669CBD158,SHA256=3C1287BB237F4A85FFE4A6BF3624D6AA486EEF9D5299C405B2A0950C27293C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:30.729{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B7AD13D853DA8109EBC64486E0CA2A,SHA256=F9320A2F05D06A67AD090D227704C1C268ED40AF475430CFF2B62596174BE1EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:31.134{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E42DC300CA5F90915589CB2E4B392E,SHA256=A713736C6205A80CB8AE5C2D382D9BF4E9A1BCC7BA39BF6F9AEE6BE64C812D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:31.817{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCD45078D18623404AA4853BD965ED5,SHA256=7CC7C0F8638E82A0FEFEF4A90D6C43FF18EF5B182F25D3FB1664E75E31419840,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:32.890{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3D8B505097F5C259CFD4E0B097654E,SHA256=60A0DF8A83FF5171D44026B4C55C42DEB8A4DECFA56963222EE91DF090241B00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:32.218{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC9E58B1CCC55D903CCCE544EDF5DCE,SHA256=96D115144B8079CD044748E313CF334285C0D07E78806AEDFF8F55108F9776DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:33.294{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CAE3923E2C805EFDDCBF6EB3790CE4,SHA256=D290B2BFF2F76161DC81F1183E2EDF1A733F9B43B6E8E21B3EA425E5C40A8190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.974{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE75140CA3D2D16A79B94C1C99314CE6,SHA256=5241E4413EEB0E4E4452F9C2D7EF7F1764DC084A13BE75CCF5AACEBF62CCCDF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.582{DAC7F284-9928-63CF-1600-00000000B102}12961396C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.582{DAC7F284-9928-63CF-1600-00000000B102}12961348C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.582{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-99F3-63CF-9D00-00000000B102}34202196C:\Windows\system32\csrss.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-9928-63CF-0C00-00000000B102}832864C:\Windows\system32\svchost.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:33.566{DAC7F284-9928-63CF-0D00-00000000B102}8881268C:\Windows\system32\svchost.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000020107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:31.196{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49833-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000020139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.882{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.875{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.868{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.852{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.851{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.844{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.843{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.840{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.838{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.836{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.821{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.814{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.805{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.795{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.791{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.772{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.767{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.738{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.704{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.675{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.654{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.626{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.542{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.526{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.497{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.460{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.445{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.434{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.423{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 10341000x800000000000000020110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.418{2EF863A9-992B-63CF-2100-00000000B202}15002924C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000018134850) 23542300x800000000000000020109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:34.375{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D829C8260EA769EA61F31CB496225376,SHA256=6C816709D1E42199EC9FAA2298D59F38285709B7B4586A2BEA83443A0C1E711D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:32.659{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.623{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E8B281F490245371E730A2C649F2587,SHA256=0CE1CAA1B2F733B252A0C09F4558CD21CC544C1B4BD5AC55F6674BB67442958D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9926-63CF-0500-00000000B102}396356C:\Windows\system32\csrss.exe{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.139{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:34.140{DAC7F284-9BDA-63CF-2A01-00000000B102}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:35.935{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88639C2C8F87D124176121920415AA50,SHA256=DE3D15EE904F80E6D1E6354A0B6DB660294F7B96E9FC78687EB1ED0648BEC118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.907{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.906{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.906{DAC7F284-99FF-63CF-B900-00000000B102}58085944C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9BD9-63CF-2901-00000000B102}5768C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000045223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.427{DAC7F284-9BDB-63CF-2B01-00000000B102}57602564C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9926-63CF-0500-00000000B102}396412C:\Windows\system32\csrss.exe{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.260{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.261{DAC7F284-9BDB-63CF-2B01-00000000B102}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.073{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15622578A9B7D25E054D6C150453FE71,SHA256=94A5221437A837EC169CA9394C91BD7624E617BB769F2E9025B4D9C8E6F62826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.137{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235E111E9F631FC49F758688FB826281,SHA256=670D934C5ED8261977F83889562DD98D87702D3188C1973ACCF283545EC57AC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9926-63CF-0500-00000000B102}396412C:\Windows\system32\csrss.exe{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:36.044{DAC7F284-9BDC-63CF-2C01-00000000B102}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:37.081{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7DBBACDE4094490304ECA002F49860,SHA256=3D56851301BB7573F23326616D1A1DBFD87BD3997CCBC9C52F2CD811D0FADE05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.568{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local60730-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local389ldap 354300x800000000000000045246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:35.568{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local60730-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-759.attackrange.local389ldap 10341000x800000000000000045245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.379{DAC7F284-9BDD-63CF-2D01-00000000B102}55643196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.223{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC26EA2B5C66DFA7FC54C7102E2D04,SHA256=9F7FE5575C6A29D40C4DBC2AB46C46D682A4DD6EB5792AE4A2D3FD912C8B147C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:37.161{DAC7F284-9BDD-63CF-2D01-00000000B102}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:38.166{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA09B81E4145151404E5627322A8EF73,SHA256=84E1440D0AAD633A681D00627C8D7DAC7380A7BA5652ED5CC34C10EEA61D2892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.473{DAC7F284-9BDE-63CF-2E01-00000000B102}41002856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.317{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF5D014805C2E64FB27F9604D4DAB3A,SHA256=4207DDA9748A72ADBBCE24881215F392A9877694DFE7495AE9531DA14CC3AEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9926-63CF-0500-00000000B102}3962468C:\Windows\system32\csrss.exe{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.285{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.286{DAC7F284-9BDE-63CF-2E01-00000000B102}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000020144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:37.206{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:39.245{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFBE08B1C0245ADAC3B336A57F7A655,SHA256=CA5AAA57BB1F260E4918D6ED917659B6752E90E1E914F06F32B10399DB71A5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:39.405{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFCC3C8E83B5D140BC1A1ED1D664DA2,SHA256=4BCC3BA5C2C964BA06139AC2C91CE35C7C63C4EC47F38AB9ABF285F335C7E31D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:40.332{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F8E88A48F6EF16912FE85BDFC5601E3,SHA256=21754A35CF996ADFBDB2AC9D6B292B3135F0DBEF66479C67CAB786DA834067FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:40.495{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9F4A265CD24D0F557D1DC5600B615A,SHA256=E78BF92BD2719AE33C724EFA0C5CBECE5E0004638A0FDF23859AFDB89B89DF33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:41.433{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF2ACC67F526757E1A45C940A468DD9,SHA256=E99B5181D5964632F60696ADCFF5B141A6E85BC6C935CCEEA93EC3A120885A5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9926-63CF-0500-00000000B102}396356C:\Windows\system32\csrss.exe{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.943{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.944{DAC7F284-9BE1-63CF-3001-00000000B102}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:38.632{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.646{DAC7F284-9BE1-63CF-2F01-00000000B102}57524968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.584{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C66483438BA08650BC25BD03491708,SHA256=00E1FE4CD8664098BFC33764179B4086779D5D020FA583B77A1A1BD0E06F9EA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-993A-63CF-3800-00000000B102}32923312C:\Windows\system32\conhost.exe{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9926-63CF-0500-00000000B102}396356C:\Windows\system32\csrss.exe{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.443{DAC7F284-9939-63CF-2D00-00000000B102}26681376C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:41.444{DAC7F284-9BE1-63CF-2F01-00000000B102}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{DAC7F284-9926-63CF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000020147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:42.522{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7BA94AE34D05F226D139A08CD2CAAA,SHA256=9D741CF8AECE95F759F8E4907E6C5C655484D44645A9285E22FF9FD6D8462E7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.883{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.880{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.877{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.875{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.870{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.864{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.863{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.855{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.850{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.847{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.846{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.844{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.815{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.809{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.795{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.787{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.781{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.773{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.761{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.747{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.727{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.718{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.710{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.672{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000045281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.671{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ED529AA7E86C4C84A52B5752100050,SHA256=0EC21FAFD183C21B94017D93ACBAE38318CB97BD979ECE15568A3B59BBD8B316,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.667{DAC7F284-99FF-63CF-B900-00000000B102}58085528C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A78E3D0) 23542300x800000000000000045279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:42.562{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA95BF21D7681680778F29BD20677B63,SHA256=64720FBE1487737F18982674B9A599DFA14B240413D7CCF5A35A3A3CCCABEC32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:43.599{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB40ECAA361E187485B5BD68D26247D4,SHA256=4D433EA6741AEB53E9F48053B2399149DE19E0A4E765DE98C433E9A60BB473C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:43.711{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F5FE8B3D2E4C7D1E8EE74383B08F51,SHA256=FD21A84F2B809CC509B5A11929C9A7A97E3A440B18760B2DDBDA3151EC52424C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:43.214{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000020149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:44.673{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BF93356956FEB875A1A86AF9AD5B7D,SHA256=072D9F6A92B785316C96E0E8387596FE258F8DD43BAAC846B0537A763ECC67C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:44.798{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6676370FFD5C0AB22D48131621B8D93A,SHA256=447CEEFF9821402A620E96CFD15E7F88D0512AF1C6BB0C1C1B2173CD9D7B11FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:45.767{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEFD143CE4B5B10127E11CF0878D61E,SHA256=6CBD05050CAD8F0B2C95A4CCB38D44C97AA097BBD50D5A81ADCB4CADEA66E88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.903{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.903{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.893{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.883{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.875{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.868{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.864{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC042B6F595ACC0D23C6DE2C00F830FA,SHA256=C4A0F66C438D7C9F5B216C93A1B894A8A661D4107A1CFDEDBD5B7F1EB3EAD2FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.857{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.847{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.816{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.807{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 354300x800000000000000020150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:43.202{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.798{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A300-00000000B102}4440C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.793{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-A000-00000000B102}3300C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.791{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-9E00-00000000B102}3168C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.787{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99B3-63CF-8900-00000000B102}3616C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.784{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-994B-63CF-7B00-00000000B102}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.781{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.778{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4A00-00000000B102}3836C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.777{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4500-00000000B102}3660C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.775{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4400-00000000B102}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.774{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993A-63CF-3800-00000000B102}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.255{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3300-00000000B102}2304C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.254{DAC7F284-99FF-63CF-B900-00000000B102}58085960C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3100-00000000B102}2968C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000045312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.021{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.021{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.021{DAC7F284-9926-63CF-0B00-00000000B102}612824C:\Windows\system32\lsass.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:45.008{DAC7F284-9928-63CF-0C00-00000000B102}832964C:\Windows\system32\svchost.exe{DAC7F284-99FF-63CF-B900-00000000B102}5808C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:46.830{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D20137BC9F3BF75EA971A51DD6912D2,SHA256=7EDB6D0B90BE20F2BB77D81CB127A4F08A7CDA84D3EED03FCC58417FCA94071D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:46.838{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4191761ACA6369DE90327DA9F4A2375F,SHA256=D775DA78546A5532DD9CC96612208B84948DA2A75E2C216340788D5B5BB7D71A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:43.774{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:47.912{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB90458951F835D982EB8DBAC31B5C4,SHA256=175E64AE47271E2E4262E764AF0ED4B79422F081AEB5FB8E1D7B5AF773561F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:47.926{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F4380F0C8A2726ECBBC488A53F48F3,SHA256=A38FA33984856AA3C2FDF5C32D5FF48D0A6E25F96343BA1018DDB1E24DE4850E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:48.991{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CE6A59221F518B52543416808F6B8D,SHA256=7CA87F7355386DCF29889534B9956E657A5A5C304B063EA0E3496436AFC83EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:49.008{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884B86726E5C286C0B155C20D0C18D1B,SHA256=7EC7F55D8EF7199B81D9E882D47FC105421320F9990F633549F1E3B9B9BFDA0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000020156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:49.178{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49836-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:50.091{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DE094B2045F1C184D7FAF7E76F1DC0,SHA256=3F613D1E957434E80F6BF4DBAC60DA08A1CFA87E7B0A0F070AB28768CFF5ED41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:50.091{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538A71F1552BEDDCC55932AB1EB001F0,SHA256=EEF96C10774A1E6F9C80857F06D58BAE95513590081B96C59C07E0079099192A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:51.176{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B253E8B47ED6643023A8745C57C15B40,SHA256=7EB8C9FABBA6D515BA241115DD15B890074003DE49B93EB14223E3E37D1FD7B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:49.629{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:51.179{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEA7C0D3D055C839B402C2A14212510,SHA256=7F50E6957E92C86967684EEB119B94274B01D9C676E4667E5B9C6A2B82B1D0B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:52.270{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCACDCCB8EAF8C3DD2AA781EE12AF085,SHA256=5CF4834B22AC6065773492BD6A16EF117A87B9FDBFD3425E4B79357C70904BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:52.267{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28329024FAD6C97DF201A07C63F15381,SHA256=2A5C8860EFE88069FF4BDDB6FBF57C421B3DDB35D37EBBDEFB4B13A8C4AFE46C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:53.360{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1750FBFEC6B9BECA69DB7B3B8204A189,SHA256=9E633F7E8B44C940F59AE63FF66FFF1402B3F6A3C561B91D16CC786F7103B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:53.355{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECF0FE1C2BA61DFE7C2E7FD9328490A,SHA256=0455C3223EBCB3A028DCE8E3B6A42A97D2D7D1A2CB9C31AB938E3D3CDFFB6A9B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:53.077{2EF863A9-992B-63CF-1E00-00000000B202}1992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C3821C5449013BDCC94325A6CAA84CC2,SHA256=7D53A34A5051BFF1A128ECB5905787BB486D03D2D34E07923BD1D489A64E0E80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.988{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.963{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.943{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.910{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.899{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.835{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.780{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.756{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.738{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.709{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.605{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.596{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.582{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.522{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.483{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000020164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.456{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021A7EE53310D65EE0B68FE99C0E17D4,SHA256=17674CACB9397B05CFC06ECB01730EA18DBD637B2F83A1C9AD215A4DE10F735D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.448{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.422{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:54.415{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 23542300x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:54.443{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C82FD651C87DE324509D14D4402023E,SHA256=DDE17E9BB5DBADE9E61B35D3868C69DA37FDCB8416ACB3B2CD3DE010EFB0D930,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.533{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089AD2149670A1BCF4C3CE722BDDC53E,SHA256=7AE7C73F1C124398C256391247F90408410D9310E0F1141A146EF168C4E451AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:55.526{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114EF722612260BEE0D6AD169B199811,SHA256=8344BD59F7DAFEBED47D56B3A12DC8DF027354EC184F3E6942F4D33EF1C6ACE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.091{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.079{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.076{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.071{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.063{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.058{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.056{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.052{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.042{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.040{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.019{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 10341000x800000000000000020180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.012{2EF863A9-992B-63CF-2100-00000000B202}15002500C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012838850) 354300x800000000000000020194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:55.177{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49837-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:56.568{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C3C120255BDDC0C3328880D68CFC2E,SHA256=4C648C11EEB6E1AC96DF746A235C701559C282B72DF99F9C1D092C5C7473C230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:56.605{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3598FDBB794965E0435EB23105EB8AC,SHA256=FF9F5676F0F741E1BA51975EF37D852933EC13361C0B1A511904391208373419,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:57.645{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4832A448C4CB2346AC52DBA6C79E457,SHA256=22B1AB4D2FF2A0B5FFF65E0DD9E8DB7F86947231F005450047673D3B059AC5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:57.694{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172892D199725467829A57E8E92B0EF4,SHA256=62AFEA9A626C6D24A4C35AC15C363AC66005A4CA2A3ADB42236B951FED842A27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:54.803{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000020196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:58.733{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762734E04358093B58835B5990C4871,SHA256=C6C185410319D0DE3D0484D7938032792A51A0ECCBC8CBF1A0D3442E865AE412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:58.798{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65F19087D703088E6603A631C36C93F,SHA256=E73AD5CB1D788DCB298D8D92503F0ECE6118C266C9FD4A5FFA3D74AB82647FDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:59.824{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7CF4F801B34009493FCFCA3A66A873,SHA256=395846956D8EFBD025AFE8FA20F8CEFF411EE8ED73D00B1ADAF34FC0AEFF619A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:50:59.886{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6922C4E1C47A962E40C89A0156AD446,SHA256=AAB7EFC736ABE04AFED978800D6DA487148348256E1FDCFAD847C91B2C5F39E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:00.934{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=172297D592BE9C2A123FCAC51B0E7E06,SHA256=CAA730A140E47E63CC58D33CAD3A1C980D446FC82C77EE6325AEA98BCA4AFD8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:00.918{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E5F543BAF382C0DEAD41DDCEFAB13,SHA256=1A1A6079217578D3CCE3C3DE807F9109126E9B689314C272B3A03DE37E5DB792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:00.972{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7DFF166C1F344CB333DCC66AF4F35D,SHA256=4ACDCFD0E4211AFF05E296BCC29FB70ACD9973B2AC8BF927E34AFA06B11E8D33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000020201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:01.994{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED3724692448CA255510ED341493F6F,SHA256=9DAFF1484D85F7E5767EA59A9F68890A43DEE25CC8F98B462D4A9FC4C769E68B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000020200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:50:59.806{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.187.221.38-46928-false10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal3389ms-wbt-server 13241300x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-SetValue2023-01-24 08:51:01.012{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92fd0-0xfbe90f61) 354300x800000000000000020202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:01.184{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49838-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.853{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.851{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2E00-00000000B102}2692C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.848{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2D00-00000000B102}2668C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.846{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2B00-00000000B102}2628C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.841{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2900-00000000B102}2612C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.836{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2800-00000000B102}2584C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.834{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2700-00000000B102}2576C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.826{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2600-00000000B102}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.821{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-2500-00000000B102}2484C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.818{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9932-63CF-2300-00000000B102}2332C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.816{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9929-63CF-1D00-00000000B102}2072C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.814{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1700-00000000B102}1440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.785{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1600-00000000B102}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.778{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1500-00000000B102}1240C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.763{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1400-00000000B102}1068C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.757{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1300-00000000B102}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.752{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1200-00000000B102}600C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.745{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1100-00000000B102}388C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.735{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-1000-00000000B102}92C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.724{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0F00-00000000B102}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.715{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0E00-00000000B102}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.706{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0D00-00000000B102}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.699{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9928-63CF-0C00-00000000B102}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.663{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0B00-00000000B102}612C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.659{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9926-63CF-0900-00000000B102}552C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:02.090{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23120C030D5E2ECBE86B953FDD3834B3,SHA256=150E4C8F027CC11B53D85FE2566F2D806F45EF6554E154A407BAFE18EE61A63D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000020286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.938{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000020285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.938{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000020284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.938{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000020283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.938{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000020282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.938{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x800000000000000020281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.938{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x800000000000000020280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249InvDB-DriverVerSetValue2023-01-24 08:51:03.937{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 10341000x800000000000000020279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.923{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.922{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.922{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.922{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.922{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.922{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 13241300x800000000000000020273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.899{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x800000000000000020272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.899{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x800000000000000020271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.899{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000020270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.899{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x800000000000000020269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.899{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x800000000000000020268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:03.899{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x800000000000000020267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249InvDB-DriverVerSetValue2023-01-24 08:51:03.887{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 10341000x800000000000000020266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.864{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.863{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.855{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.855{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.717{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.717{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.713{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.711{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.711{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.710{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.709{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.709{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.706{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.706{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.705{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.705{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.704{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.704{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.701{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.700{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 23542300x800000000000000020246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.692{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B364E325BD043297F3D389BA1630493,SHA256=CB1A4C1C87A17F9E3B79E5AD05F54A9635B5D08D883564231E680C7146C1572A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:03.245{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3000-00000000B102}2836C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:03.149{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A70869A866681CE944EA8E3F3951C7B,SHA256=BFCAE15B2C56572D0D1A7C11F04FD2553DA5AF05CEE05028E52943309FFF3FFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.592{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.576{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.576{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000020232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.576{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000020231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.576{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000020230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.576{2EF863A9-9BF7-63CF-F400-00000000B202}34843840C:\Windows\System32\smss.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000020229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.577{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{2EF863A9-9BF7-63CF-F400-00000000B202}3484C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c 10341000x800000000000000020228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.561{2EF863A9-9926-63CF-0200-00000000B202}304312C:\Windows\System32\smss.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.561{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.514{2EF863A9-9BF7-63CF-F400-00000000B202}34843840C:\Windows\System32\smss.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000020216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.518{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{2EF863A9-9BF7-63CF-F400-00000000B202}3484C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c 10341000x800000000000000020215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-9926-63CF-0200-00000000B202}304312C:\Windows\System32\smss.exe{2EF863A9-9BF7-63CF-F400-00000000B202}3484C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.498{2EF863A9-9926-63CF-0200-00000000B202}304476C:\Windows\System32\smss.exe{2EF863A9-9BF7-63CF-F400-00000000B202}3484C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x800000000000000020204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.501{2EF863A9-9BF7-63CF-F400-00000000B202}3484C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 0000012c 0000007c C:\Windows\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x800000000000000020203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:03.082{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D67C9EBA23C2799973DAD3C3AFE00AF,SHA256=B6C7AE1C84C553A683F9B9A165F2B07AA7FF8A116B7279DF734921E5A4250A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:00.784{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000020346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.962{2EF863A9-992A-63CF-1100-00000000B202}9361208C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.946{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.946{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.946{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9BF7-63CF-F500-00000000B202}25923092C:\Windows\system32\csrss.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:04.330{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA47B73A2693C50BA5421281D914C3E3,SHA256=72E56D8B1C4FC56E2139AA2E96FAE530B3F5420FD035A482F862333F994D79F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9BF7-63CF-F600-00000000B202}11043692C:\Windows\system32\winlogon.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.934{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{2EF863A9-9BF8-63CF-DA72-100000000000}0x1072da2SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000020328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9BF7-63CF-F500-00000000B202}25923032C:\Windows\system32\csrss.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1cfbe|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1b476|C:\Windows\system32\lsasrv.dll+1ca25|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9BF7-63CF-F600-00000000B202}11042696C:\Windows\system32\winlogon.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.932{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a5a855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000020313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.931{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-1100-00000000B202}9361208C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-1100-00000000B202}9361208C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-1100-00000000B202}9361208C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.915{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.821{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.821{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.821{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.760{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.760{2EF863A9-9BF7-63CF-F500-00000000B202}25923008C:\Windows\system32\csrss.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000020299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.747{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B114377E7E5F48116D2D4885CD863A,SHA256=C12BB306CB87D47607774032F289710BDE4B9DD0DDE5907B199B571427C09981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.745{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=49A1573823352879439D568F17E20F5D,SHA256=EA181EB86181891E0872C16E29FD44BFC9581489CCDA15BD4CAB29B4FED05739,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.410{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.410{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.379{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.379{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.379{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.355{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.275{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.275{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.275{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.103{2EF863A9-992A-63CF-1100-00000000B202}936NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:04.056{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:01.990{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A50971- 17141700x800000000000000020495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:05.987{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-5c10bb8d-ab1a-44eb-af40-3f36682b0008C:\Windows\System32\svchost.exe 10341000x800000000000000020494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.975{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.940{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F9D49130BA8A52A57489CC3431ECA1,SHA256=4BD03B812E142B9287864BF3A050B7B7938D55D875FA0AA54C5234F28A840D61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.929{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.929{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.916{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71C32CFCF1624C5814D746EE7107FFD,SHA256=3DDC271960BC270E24CE3D29C22AB1DE3E4C7244D79C976C138389B90BE4103F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.871{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.855{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.852{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.852{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000020479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:05.847{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-e3f15c4b-c39f-41d5-9b0e-b3c90c276ea2C:\Windows\System32\svchost.exe 17141700x800000000000000020478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:05.847{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-e3f15c4b-c39f-41d5-9b0e-b3c90c276ea2C:\Windows\System32\svchost.exe 10341000x800000000000000020477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.846{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.845{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000020475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:05.845{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-1a19b913-1d29-45e5-957a-0b592b57be50C:\Windows\System32\svchost.exe 17141700x800000000000000020474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:05.845{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-1a19b913-1d29-45e5-957a-0b592b57be50C:\Windows\System32\svchost.exe 10341000x800000000000000020473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.840{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.838{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.834{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000020470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.834{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.820{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.820{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.813{2EF863A9-992B-63CF-1500-00000000B202}10921580C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.813{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.812{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.811{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.811{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.811{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.811{2EF863A9-992A-63CF-1000-00000000B202}9283388C:\Windows\System32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\termsrv.dll+a1377|c:\windows\system32\termsrv.dll+6a6bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.950{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1201-00000000B102}5436C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.950{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9B82-63CF-1001-00000000B102}3852C:\Windows\system32\dstokenclean.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.940{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4E-63CF-DD00-00000000B102}5740C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.929{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4C-63CF-DC00-00000000B102}4336C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.919{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A4B-63CF-DB00-00000000B102}4488C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.912{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9A44-63CF-D500-00000000B102}5324C:\Temp\OfficeSetup.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.901{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B200-00000000B102}2820C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.890{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F8-63CF-B100-00000000B102}4668C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.851{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F7-63CF-AE00-00000000B102}5044C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.843{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A600-00000000B102}4524C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.834{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F6-63CF-A300-00000000B102}4440C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.827{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-A000-00000000B102}3300C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.823{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99F4-63CF-9E00-00000000B102}3168C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.819{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-99B3-63CF-8900-00000000B102}3616C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.816{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-994B-63CF-7B00-00000000B102}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.813{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.808{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4A00-00000000B102}3836C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.807{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4500-00000000B102}3660C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.804{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993B-63CF-4400-00000000B102}3644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.804{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-993A-63CF-3800-00000000B102}3292C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.393{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0496390C72174E651B3BEA62CC701AAF,SHA256=D09795D5EA6EBB3F2222ABF06D96788D99912FF797C39855CBC523016A5BA010,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.809{2EF863A9-992A-63CF-1100-00000000B202}9361324C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.809{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.809{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.808{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.808{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.808{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.808{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.807{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.807{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.806{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.806{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.799{2EF863A9-992A-63CF-1100-00000000B202}9361324C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.796{2EF863A9-9929-63CF-0A00-00000000B202}6081844C:\Windows\system32\services.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.787{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.786{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.786{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.786{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.786{2EF863A9-992B-63CF-1500-00000000B202}10921580C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.786{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.784{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.783{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.782{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.782{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.781{2EF863A9-992B-63CF-1500-00000000B202}10921580C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.781{2EF863A9-9929-63CF-0500-00000000B202}396944C:\Windows\system32\csrss.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.779{2EF863A9-9929-63CF-0A00-00000000B202}608668C:\Windows\system32\services.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.779{2EF863A9-992B-63CF-1500-00000000B202}10921580C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.778{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000020432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.776{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.775{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.775{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.773{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.750{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.750{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.748{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.732{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.730{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.730{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.718{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.714{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.714{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.695{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.695{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.695{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.623{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.523{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.523{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.442{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.411{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.409{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.407{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.406{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.404{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.404{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.404{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.400{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.400{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.399{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 23542300x800000000000000020398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.394{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2911106E31E053AF4943F93A7194F769,SHA256=1725895484C2E5E383DC44A6607EA68CA4F0D2B2DA618FF824CBA4085EC437FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.392{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.391{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.387{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.375{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.373{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.373{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.364{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.357{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.357{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.344{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.342{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.342{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.331{2EF863A9-9BF8-63CF-F700-00000000B202}2732628C:\Windows\system32\LogonUI.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.330{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.329{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.329{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.329{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.329{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.317{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.316{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.316{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.252{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.252{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.251{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.244{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.244{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.243{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.231{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.231{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.231{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.225{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.223{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.222{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.221{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.201{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.201{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.201{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.178{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.177{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.071{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=95C7FF9231CC3E42AAE11B2658E08F9C,SHA256=20639C3C6A7B37461D11CAD1C076B8D651E6457C9DDE11DBE6B483014AD13AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.040{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691F64018DA81557267C4F469F16BD36,SHA256=229DE7BE7A723B93FA43DCA0A934C4B1849F2AA1D9D2EF2A1193B2A63DAB0EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.025{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.025{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.025{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.025{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.025{2EF863A9-992A-63CF-1100-00000000B202}9361208C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.025{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.009{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.009{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.009{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:05.009{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.329{DAC7F284-9928-63CF-1100-00000000B102}388NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.285{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3300-00000000B102}2304C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 10341000x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:05.282{DAC7F284-99FF-63CF-B900-00000000B102}58085848C:\Program Files\Aurora-Agent\aurora-agent.exe{DAC7F284-9939-63CF-3100-00000000B102}2968C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C80190) 23542300x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:06.459{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E9B6A11D0E3DFE59212649C78184D1,SHA256=D18E06954B033BFCBBA56B3BA83A2847632D25FF6C12640C68E445F37FC07E6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000020731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.991{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.991{2EF863A9-9BF7-63CF-F500-00000000B202}25923092C:\Windows\system32\csrss.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-992A-63CF-1000-00000000B202}9281220C:\Windows\System32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 154100x800000000000000020721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.980{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 23542300x800000000000000020720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.975{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBC2473CB2D203E73693D085087C459,SHA256=189CAFEFEDF516ACC4A21F41098B5CBB264A5E566E0D631B092BAC2E59F5590E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.960{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-1100-00000000B202}9362388C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-9BF7-63CF-F500-00000000B202}25923092C:\Windows\system32\csrss.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.944{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992B-63CF-1900-00000000B202}17964020C:\Windows\System32\spoolsv.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\spoolsv.exe+1b6e3|C:\Windows\System32\spoolsv.exe+1b549|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+3582b|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+415bd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.940{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000020689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-1200-00000000B202}996NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=61582A5994D27107B65611B105FB8521,SHA256=D4C4D59633D429645ED288953780ABBD29460DC8AAC8CB1732971D2FA65F33CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.928{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.913{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.913{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.913{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.913{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.826{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.817{2EF863A9-9BF8-63CF-F700-00000000B202}2732NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000020645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.787{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A62189350E149C9B148CD1339150F0D,SHA256=C50E6E2F4DC7B469D84D6CC3A2AEFE92FFFE152FE525CD1ED6B2EE63CFEB3108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.775{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.768{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.755{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.755{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.731{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.728{2EF863A9-9BF8-63CF-F700-00000000B202}2732NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.715{2EF863A9-992B-63CF-1600-00000000B202}12241492C:\Windows\System32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.705{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.705{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.705{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.704{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.704{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.704{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.676{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.675{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.675{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.674{2EF863A9-992A-63CF-1100-00000000B202}9361208C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.673{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.673{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.673{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.673{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.673{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.672{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.670{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.670{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.670{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.657{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.655{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.655{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.654{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.654{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.654{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.654{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.649{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E34EA15C40BB785973A1BBA7C3DE915,SHA256=65DA9BC09F54667D5C3B8BD4902ABDA40CB4782EE814BA2145CF49358D0BEC5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.649{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.640{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.640{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.640{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.640{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.611{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.611{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.611{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.610{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.610{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.610{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.609{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.609{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.609{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1b476|C:\Windows\system32\lsasrv.dll+1ca25|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.547{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.515{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F884ED1144AF739B31EE0C0702965D1,SHA256=44A39CF2D5EB5CBEC7E342D5F11DB34FD91690553CCB2423540565811E6ED8EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-1000-00000000B202}9283388C:\Windows\System32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\termsrv.dll+a1377|c:\windows\system32\termsrv.dll+6a9d8|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.500{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+5a18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.484{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.468{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.468{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.468{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.437{2EF863A9-992B-63CF-1600-00000000B202}12241492C:\Windows\System32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-992A-63CF-1000-00000000B202}928392C:\Windows\System32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\termsrv.dll+a1377|c:\windows\system32\termsrv.dll+6a9d8|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.193{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.169{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE07146E1317FDEAFB654ED67AAFC2D,SHA256=1CA8061D3D4C495310693ED214E3139D83751D1919C8DFACFF872DBFFEB9CFF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.141{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.141{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.141{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.136{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.135{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.135{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000020521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:06.134{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-016d19e8-30e3-4284-bfb6-cd01ba719896C:\Windows\System32\svchost.exe 17141700x800000000000000020520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:06.134{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-016d19e8-30e3-4284-bfb6-cd01ba719896C:\Windows\System32\svchost.exe 10341000x800000000000000020519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.118{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.102{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.102{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.102{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.102{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.102{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.102{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.087{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.087{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.087{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.087{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6D0CBE7B44B8D1804D6B103AFBC6872,SHA256=956ED6F2D0C5FCCE55E9578EEA7A5DB8DB7D9A2CECB90BAB790B5255D2AAE766,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.071{2EF863A9-9BF9-63CF-FA00-00000000B202}34602248C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000020499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.071{2EF863A9-9BF9-63CF-FA00-00000000B202}34602248C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000020498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.031{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.031{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BF8-63CF-F700-00000000B202}2732C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000020496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:05.987{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-5c10bb8d-ab1a-44eb-af40-3f36682b0008C:\Windows\System32\svchost.exe 10341000x800000000000000021112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.968{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000021111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.967{2EF863A9-9BFB-63CF-0A01-00000000B202}29324144C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.966{2EF863A9-9BFB-63CF-0A01-00000000B202}29324144C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.962{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.962{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:07.557{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CF356715D5743FF9DA3E5134737968,SHA256=1E70E06C72F3A76E2EC0CA2A9C0901E406AAD9B9347B72482424462EAF7DD97D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.960{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000021106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.939{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000021105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.938{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.928{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.926{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.925{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.916{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.916{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.916{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.909{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.837{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.835{2EF863A9-9929-63CF-0A00-00000000B202}608684C:\Windows\system32\services.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.830{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.830{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.829{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.829{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.829{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.828{2EF863A9-9929-63CF-0A00-00000000B202}6081844C:\Windows\system32\services.exe{2EF863A9-9BFB-63CF-0401-00000000B202}2932C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.828{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe10.0.14393.5582 (rs1_release.221130-1719)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{2EF863A9-9929-63CF-E703-000000000000}0x3e70SystemMD5=83557C9B0E94FCB9D5181D928563991C,SHA256=11FAEB577FAF552BE4FF2275195CD0B3471228EE56C25D38DE5261BF87DF48BA,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000021088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.826{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.826{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.826{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.826{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.817{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.817{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.761{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.761{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0800-00000000B202}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0700-00000000B202}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0500-00000000B202}396C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.760{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-993E-63CF-7400-00000000B202}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992D-63CF-3C00-00000000B202}2988C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2B00-00000000B202}2872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2700-00000000B202}2724C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.759{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF7-63CF-F500-00000000B202}2592C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2600-00000000B202}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992C-63CF-2200-00000000B202}2256C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1F00-00000000B202}2040C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1E00-00000000B202}1992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1C00-00000000B202}1908C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992D-63CF-4000-00000000B202}1816C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 354300x800000000000000021028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:06.360{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49839-false13.91.16.69-443https 10341000x800000000000000021027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1900-00000000B202}1796C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-2100-00000000B202}1500C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-2100-00000000B202}1500C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.758{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-99A6-63CF-8400-00000000B202}1264C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992B-63CF-1500-00000000B202}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.757{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1200-00000000B202}996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0F00-00000000B202}880C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000021000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0E00-00000000B202}872C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0D00-00000000B202}784C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-992A-63CF-0C00-00000000B202}716C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.756{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0900-00000000B202}564C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0800-00000000B202}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0800-00000000B202}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0700-00000000B202}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0700-00000000B202}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0500-00000000B202}396C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9929-63CF-0500-00000000B202}396C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9926-63CF-0200-00000000B202}304C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.755{2EF863A9-9BFB-63CF-0601-00000000B202}31083572C:\Program Files\Aurora-Agent\aurora-agent-util.exe{2EF863A9-9926-63CF-0100-00000000B202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+64185|C:\Program Files\Aurora-Agent\aurora-agent-util.exe+c358b0 10341000x800000000000000020974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.751{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.733{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.716{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.716{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.712{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etlMD5=184FA94EBB57B2609A3F5C014A01CC0D,SHA256=DCB008A7EA59EDDC58DF5FA0C952752415AF5C8017DE4535C9DE1683B1A386D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.653{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.653{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.652{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.652{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.652{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.651{2EF863A9-9BFB-63CF-0701-00000000B202}40563996C:\Windows\system32\userinit.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.595{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\explorer.exe10.0.14393.5648 (rs1_release.230105-1654)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=8F7BA5D66FBAB4AEB6075DBE6BE41A84,SHA256=E6F7E06CB3A4CA1B73DD708F2DA6AB86E5AC4BAAB1C26A98AC29EACBC869A28E,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x800000000000000020962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.641{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.641{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.641{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.634{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.616{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.616{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.616{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.615{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.615{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.615{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.613{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.613{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.613{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.613{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.613{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.613{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-FA00-00000000B202}3460C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.612{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.612{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.612{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000020943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.611{2EF863A9-9BFB-63CF-0801-00000000B202}3204480C:\Windows\system32\conhost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.585{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.585{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.543{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.543{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.543{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.537{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000020936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.526{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F418B1049D38F1D992D54C86848005,SHA256=298DB5D1959B687D04F3918E2FE779A5CE6CB244197F215D4C3D52D5D2E0CBD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.514{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.514{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.514{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.513{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.513{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.513{2EF863A9-9BF7-63CF-F600-00000000B202}11041832C:\Windows\system32\winlogon.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000020929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.511{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\System32\winlogon.exewinlogon.exe 10341000x800000000000000020928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.504{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.443{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4397D193004AB616F8E583B88DFE99,SHA256=C25F7E05F71A3DE4D532270E93524EF3D2EE902D75BA121273855D14BB9D7A53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.430{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.430{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.430{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.426{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.423{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6266e|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.423{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+6261d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000020920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:07.423{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-7365195e-0241-4bc1-babd-61734e5dd6b5C:\Windows\System32\svchost.exe 17141700x800000000000000020919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:07.422{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-7365195e-0241-4bc1-babd-61734e5dd6b5C:\Windows\System32\svchost.exe 10341000x800000000000000020918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.417{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.417{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.417{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.416{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.416{2EF863A9-992A-63CF-1100-00000000B202}9362388C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.411{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0700-00000000B202}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.411{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0700-00000000B202}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.411{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0700-00000000B202}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.410{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.410{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.409{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992A-63CF-1000-00000000B202}928C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.407{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.365{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.365{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.365{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FC00-00000000B202}3036C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.346{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.338{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.305{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2120DB5E523F02490BC6170257DB8D,SHA256=4538E8F2B1871286ACC0A6C44D6FEE413F4CC4F91E3A16788C4B70B00D121420,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000020895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:07.301{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-ca9aac69-4953-4235-b847-eb89937e61f8C:\Windows\System32\svchost.exe 17141700x800000000000000020894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:07.301{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-ca9aac69-4953-4235-b847-eb89937e61f8C:\Windows\System32\svchost.exe 10341000x800000000000000020893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.268{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.268{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.266{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.265{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.262{2EF863A9-992A-63CF-1100-00000000B202}9362444C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.248{2EF863A9-9BFB-63CF-0501-00000000B202}33841100C:\Windows\system32\conhost.exe{2EF863A9-9BFB-63CF-0101-00000000B202}3160C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.239{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.239{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.239{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFA-63CF-FB00-00000000B202}3680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.222{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.222{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.220{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.220{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.217{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.217{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.217{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.217{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.214{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.214{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000020874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.212{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.211{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.211{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.211{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.201{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.201{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.201{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.201{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.199{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0301-00000000B202}2604C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.192{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0501-00000000B202}3384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.191{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0301-00000000B202}2604C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.189{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0301-00000000B202}2604C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\UBPM.dll+ac80|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+107e6|c:\windows\system32\UBPM.dll+d3c9|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.189{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.189{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.189{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.189{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.184{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.180{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.180{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.179{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.179{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.179{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.179{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.178{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0101-00000000B202}3160C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.177{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0101-00000000B202}3160C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1700-00000000B202}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-9929-63CF-0A00-00000000B202}608684C:\Windows\system32\services.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000020838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:07.163{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-84a8f49b-5ce0-4da3-98fc-d9c831d709eaC:\Windows\System32\svchost.exe 17141700x800000000000000020837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:07.163{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-84a8f49b-5ce0-4da3-98fc-d9c831d709eaC:\Windows\System32\svchost.exe 10341000x800000000000000020836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.163{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFA-63CF-FD00-00000000B202}4080C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.147{2EF863A9-9BF7-63CF-F500-00000000B202}25923092C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0500-00000000B202}396412C:\Windows\system32\csrss.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000020827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}6081844C:\Windows\system32\services.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000020826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF8-63CF-F800-00000000B202}792C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x800000000000000020823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\FailureActionsBinary Data 13241300x800000000000000020822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\Security\SecurityBinary Data 13241300x800000000000000020821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\DisplayNameWindows Push Notifications User Service_11e174 13241300x800000000000000020820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000020819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\ErrorControlDWORD (0x00000000) 13241300x800000000000000020818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\StartDWORD (0x00000003) 13241300x800000000000000020817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_11e174\TypeDWORD (0x000000e0) 13241300x800000000000000020816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x800000000000000020815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\FailureActionsBinary Data 13241300x800000000000000020814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\Security\SecurityBinary Data 13241300x800000000000000020813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\DisplayNameUser Data Access_11e174 13241300x800000000000000020812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000020811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\ErrorControlDWORD (0x00000000) 13241300x800000000000000020810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\StartDWORD (0x00000003) 13241300x800000000000000020809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_11e174\TypeDWORD (0x000000e0) 13241300x800000000000000020808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x800000000000000020807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\FailureActionsBinary Data 13241300x800000000000000020806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\Security\SecurityBinary Data 13241300x800000000000000020805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\DisplayNameUser Data Storage_11e174 13241300x800000000000000020804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000020803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\ErrorControlDWORD (0x00000000) 13241300x800000000000000020802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\StartDWORD (0x00000003) 13241300x800000000000000020801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_11e174\TypeDWORD (0x000000e0) 13241300x800000000000000020800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x800000000000000020799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\FailureActionsBinary Data 13241300x800000000000000020798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\Security\SecurityBinary Data 13241300x800000000000000020797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\DisplayNameContact Data_11e174 13241300x800000000000000020796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000020795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\ErrorControlDWORD (0x00000000) 13241300x800000000000000020794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\StartDWORD (0x00000003) 13241300x800000000000000020793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_11e174\TypeDWORD (0x000000e0) 13241300x800000000000000020792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x800000000000000020791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\FailureActionsBinary Data 13241300x800000000000000020790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\Security\SecurityBinary Data 13241300x800000000000000020789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\DisplayNameSync Host_11e174 13241300x800000000000000020788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000020787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\ErrorControlDWORD (0x00000000) 13241300x800000000000000020786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\StartDWORD (0x00000002) 13241300x800000000000000020785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_11e174\TypeDWORD (0x000000e0) 13241300x800000000000000020784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x800000000000000020783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\FailureActionsBinary Data 13241300x800000000000000020782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\Security\SecurityBinary Data 13241300x800000000000000020781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\DisplayNameCDPUserSvc_11e174 13241300x800000000000000020780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x800000000000000020779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\ErrorControlDWORD (0x00000001) 13241300x800000000000000020778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249T1031,T1050SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\StartDWORD (0x00000002) 13241300x800000000000000020777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:07.132{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_11e174\TypeDWORD (0x000000e0) 10341000x800000000000000020776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.116{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000020771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.116{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2F3BDEC234BFE42792BFB3534B4DC3,SHA256=F1DFE0AB229D379EDE98DAA32DD2F1E38C8EB277D5CAE0E004433C45490DF375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000020770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.069{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.053{2EF863A9-9BFB-63CF-FE00-00000000B202}952900C:\Windows\System32\RuntimeBroker.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000020768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.053{2EF863A9-9BFB-63CF-FE00-00000000B202}952900C:\Windows\System32\RuntimeBroker.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000020767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BF7-63CF-F600-00000000B202}1104C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000020751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-ConnectPipe2023-01-24 08:51:07.007{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-010ae2f1-ea90-49f8-b882-5d148177f842C:\Windows\System32\svchost.exe 17141700x800000000000000020750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-CreatePipe2023-01-24 08:51:07.007{2EF863A9-992A-63CF-1000-00000000B202}928\TSVCPIPE-010ae2f1-ea90-49f8-b882-5d148177f842C:\Windows\System32\svchost.exe 10341000x800000000000000020749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000020736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.007{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1300-00000000B202}1008C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000020735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249Context,DeviceConntectedOrUpdatedSetValue2023-01-24 08:51:07.007{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x800000000000000020734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249InvDB-DriverVerSetValue2023-01-24 08:51:06.991{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 13241300x800000000000000020733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249Context,DeviceConntectedOrUpdatedSetValue2023-01-24 08:51:06.991{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x800000000000000020732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249InvDB-DriverVerSetValue2023-01-24 08:51:06.991{2EF863A9-9926-63CF-0100-00000000B202}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 23542300x800000000000000021396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.998{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A5D0E87F04F17346DA47B039598C4F,SHA256=FDE90C3B2640B78554FD5A2D8E552A11ED69A6BFE7286C91E8A313FF6FE5F99B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.989{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.988{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.988{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.988{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.987{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.987{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.982{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.982{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.982{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.982{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.982{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.981{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.981{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.980{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.979{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.979{2EF863A9-992A-63CF-1100-00000000B202}9362388C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.979{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.978{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.977{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.977{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.974{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.974{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.971{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.970{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.970{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.969{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.969{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.969{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.965{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.965{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.965{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.965{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.964{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.964{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.959{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.959{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.959{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.958{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.958{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.951{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.946{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.946{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.945{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.945{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.944{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.944{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.936{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.935{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.935{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.934{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.934{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.934{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:08.929{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x800000000000000021334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:08.929{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 10341000x800000000000000021333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.928{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.928{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.927{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.927{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.926{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.926{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.917{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.917{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.916{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.916{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.916{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.915{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.909{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.909{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:08.909{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5844DDE8-73A7-492B-AF71-61FD79658673}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 10341000x800000000000000021318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.908{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.908{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.908{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:08.908{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1EAF93C3-8E59-4B13-8E51-1D2072B84CC8}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 10341000x800000000000000021314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.908{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.902{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.901{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.901{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.900{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.900{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.900{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.898{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.898{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.898{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.898{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.894{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.894{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.893{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.893{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.892{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.892{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.886{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.885{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.885{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\Favorites\Bing.urlMD5=5D42DDDDA9951546C9D43F0062C94D39,SHA256=E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.884{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.885{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.884{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.884{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.868{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.860{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F765670DDE29CEEB94F77BF929D0C06,SHA256=70518A5855E5FE8171C2FD8FE07BCC151342523BEEBC73DFF72B0A27948E1C85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.849{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2023-01-18 16:10:33.663 23542300x800000000000000021287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.849{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txtMD5=9902BAEDC06FA4A8681E696EE6C73C06,SHA256=D0628FA63102EE74053BC6EFDD297AED794848F5DC300DAA7E391F4CF04E8511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.847{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.bakMD5=840DF767CAC9367CBBFD774EF011EAF3,SHA256=B2BAC5F3DE47D5C7ACDC0F8AFC4FFD4740260880C0A0CF4E4383495AB1AA98DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.843{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-992B-63CF-1600-00000000B202}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.838{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.837{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.837{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1DE7.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.836{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.835{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.831{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1DE7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.817{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.817{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.816{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.816{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.814{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:08.639{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F3F336B14D2F80C73D512C7A899980,SHA256=659ED04732CC81E6DEB7B875C0D8FFA332D248955BF45761D94CE4A03787B3F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.814{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.807{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.807{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.807{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.806{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.806{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.806{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.805{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.805{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.805{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.805{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.805{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.804{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.804{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.804{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.804{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 23542300x800000000000000021257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.788{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDAD5C25074432F9B86DC4CD83AB6FB,SHA256=531C3E2C9B717B52DFFF7A4CB97B024DE6B85486FA012C0F5514E7562E6F1F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.022{2EF863A9-9937-63CF-6200-00000000B202}3296C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000021255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.742{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.741{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.741{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.741{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.741{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.740{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.740{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.719{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26bca|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.719{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.666{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.656{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B533A7D1946950ED0CFF3E04F67F8C,SHA256=9E09FEF25963727D487DE8620A164294D4B4C7318E2F9D9ED6FF017C63AEEC03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.630{2EF863A9-9929-63CF-0B00-00000000B202}616664C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.630{2EF863A9-9929-63CF-0B00-00000000B202}616664C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.628{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1D0C.tmpMD5=CF791E2DF30E983DAA9F7CF2A0F46DAA,SHA256=7EDD143FCF7979B14390A36B12BF79955BCD92A583A5C51F38D12F3F369C9849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.626{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.626{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.626{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.625{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.625{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.625{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.624{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.624{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.624{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.622{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.622{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.622{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.620{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.620{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.620{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.615{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.614{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.614{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 23542300x800000000000000021223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.608{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1D0C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.606{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1CEB.tmpMD5=CF791E2DF30E983DAA9F7CF2A0F46DAA,SHA256=7EDD143FCF7979B14390A36B12BF79955BCD92A583A5C51F38D12F3F369C9849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.602{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.601{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.601{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.601{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.600{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.600{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.600{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.599{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.593{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1CEB.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.577{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.577{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.576{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.561{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.561{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.559{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.559{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.558{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.557{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.555{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.555{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:08.539{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXEHKU\S-1-5-21-2245655832-1998535435-1064043650-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214F9-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000021200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.539{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.538{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.538{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.538{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.538{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.538{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.537{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.537{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1C8D.tmpMD5=CF791E2DF30E983DAA9F7CF2A0F46DAA,SHA256=7EDD143FCF7979B14390A36B12BF79955BCD92A583A5C51F38D12F3F369C9849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.530{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.508{2EF863A9-9BF7-63CF-F500-00000000B202}25923092C:\Windows\system32\csrss.exe{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.507{2EF863A9-9BFC-63CF-0D01-00000000B202}43284332C:\Windows\System32\ie4uinit.exe{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.507{2EF863A9-9BFC-63CF-0F01-00000000B202}4388C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000021188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.506{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.505{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.505{2EF863A9-9BFC-63CF-0D01-00000000B202}43284332C:\Windows\System32\ie4uinit.exe{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.503{2EF863A9-9BFC-63CF-0E01-00000000B202}4380C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x800000000000000021184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.500{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.488{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1C8D.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.485{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1C7C.tmpMD5=CF791E2DF30E983DAA9F7CF2A0F46DAA,SHA256=7EDD143FCF7979B14390A36B12BF79955BCD92A583A5C51F38D12F3F369C9849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.472{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1C7C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.470{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1C6B.tmpMD5=CF791E2DF30E983DAA9F7CF2A0F46DAA,SHA256=7EDD143FCF7979B14390A36B12BF79955BCD92A583A5C51F38D12F3F369C9849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.457{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.456{2EF863A9-9BFC-63CF-0C01-00000000B202}4240WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI1C6B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.447{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.447{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.426{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.426{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.404{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.401{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.401{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.401{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.401{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.401{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.400{2EF863A9-9BFC-63CF-0C01-00000000B202}42404244C:\Windows\System32\ie4uinit.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.400{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 23542300x800000000000000021165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.386{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEE5CC32B77DC1CEF8C78DEAE134BE2,SHA256=5A79EF314B8D6BCE23782F6128EEF6DE3B9E48498D2323D43A5939DB35E82220,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.379{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.369{2EF863A9-9929-63CF-0B00-00000000B202}616664C:\Windows\system32\lsass.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.369{2EF863A9-9929-63CF-0B00-00000000B202}616664C:\Windows\system32\lsass.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.365{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.365{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.358{2EF863A9-992A-63CF-1100-00000000B202}9362388C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.358{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.356{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.354{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.302{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.286{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.286{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.286{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0801-00000000B202}3204C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.283{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.283{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.283{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.276{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.276{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.276{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0701-00000000B202}4056C:\Windows\system32\userinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.262{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000021144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.262{2EF863A9-992A-63CF-1100-00000000B202}9362524C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000021143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.254{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.254{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.254{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.254{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.254{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.253{2EF863A9-9BFB-63CF-0901-00000000B202}5283160C:\Windows\Explorer.EXE{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+552294|C:\Windows\System32\SHELL32.dll+551cf0|C:\Windows\System32\SHELL32.dll+551e64|C:\Windows\System32\SHELL32.dll+1f044d|C:\Windows\System32\SHELL32.dll+1f0308|C:\Windows\System32\SHELL32.dll+b68e1 154100x800000000000000021137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.247{2EF863A9-9BFC-63CF-0C01-00000000B202}4240C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000021136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.246{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.246{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.245{2EF863A9-9BFC-63CF-0B01-00000000B202}41764204C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.196{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.151{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.121{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F97461717714F97B5ED06DF4AE5E76,SHA256=DDC738EDD797B220B0AE0BC4BAB51F7B085FB072E4F17D849B9C70062D76CE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.116{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DD8A784DE674E705CF7187C3A9563C,SHA256=AD14CA0CF3311257C19CE93B83FE12863B0351948F232B6C2DE43000DAE5D251,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.076{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.041{2EF863A9-9929-63CF-0A00-00000000B202}608684C:\Windows\system32\services.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.040{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.013{2EF863A9-9BFB-63CF-0201-00000000B202}8323312C:\Windows\system32\taskhostw.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.012{2EF863A9-9929-63CF-0500-00000000B202}396492C:\Windows\system32\csrss.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.012{2EF863A9-9929-63CF-0A00-00000000B202}6081844C:\Windows\system32\services.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.008{2EF863A9-9BFB-63CF-0201-00000000B202}8323312C:\Windows\system32\taskhostw.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.007{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+1f048|C:\Windows\system32\lsasrv.dll+1e271|C:\Windows\system32\lsasrv.dll+1ca8e|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.007{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.007{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9929-63CF-0B00-00000000B202}616C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.006{2EF863A9-9929-63CF-0B00-00000000B202}616656C:\Windows\system32\lsass.exe{2EF863A9-9929-63CF-0A00-00000000B202}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.999{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.999{2EF863A9-9929-63CF-0B00-00000000B202}616696C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.990{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.976{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.972{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000021113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:07.971{2EF863A9-9BFB-63CF-0A01-00000000B202}29324148C:\Windows\System32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 354300x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:06.629{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A57771- 23542300x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.998{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{CAD3CFB0-7CDE-43F8-B95D-98E958A585B7}MD5=41ABD480C1392D97DF3ACFFE760D2804,SHA256=7BEF858DA7D8B87F8E4C7804731E91AF5618DF4838EFC2BE398F609078268479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.996{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{C5DABA0D-CF94-465F-9B6B-C598EE8CCEE8}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.994{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{BBD6B771-DF9C-48D4-99BF-77C177FAAD05}MD5=ED16924B1B7A952B1CB20D8515BEBB70,SHA256=6966D629DD24B6904DB8AA9C9F06197706E039848C15BE8FA738E4ED25F06B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.991{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B69C64CD-23EC-43CB-8DAE-EB6560EAACC3}MD5=A461B8A48DB3B6C08E072140728A43C4,SHA256=21C57136A790877DA3640B5691C0F651D503D133B2B6936F5203BEE3F30A9565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.989{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B59BA0CB-7100-4018-A4F9-D539D5F4E058}MD5=DA594A38AD299ADA683372EBA5881CAD,SHA256=F0529ED98871CFB5607C993309D0A3DDB84CE36EC2E41897CB6BD8EB683711CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.987{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B4D06CEE-9D19-4A4D-B72A-396F2B566927}MD5=5F0A30B2DC6750BA2867B7BC006BD8FB,SHA256=9051D648449406B051B8A06D3372962529004EE159132D437E89AB6AEFA8A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.985{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B14CA865-C958-4580-9074-7E92964475FC}MD5=73252311BC2FB738EA33277A28F3596B,SHA256=7B6EA44D32065F717612C79F94114F9259C08D5465EBC007F16AEA92FD4D1CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.983{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B0DD03EF-8C20-43DB-BDD2-4CFAB623574E}MD5=74017CA605E121CBA7CF92459B8C5638,SHA256=A4B6642597D4E32EB8FAC89CB4450E226C3978F963BDBFE95ECCAA527F1E8EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.981{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{AD913853-B212-444B-9876-3E2C3A49A8EB}MD5=206A73951B8654BD2B70962A78C00BE1,SHA256=19DA4F01CBB9BFDD977E06AF58B95CEC1D4A027C776A178469251B5F0B9D9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.978{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A5400422-73B1-4B93-91A9-72E697208472}MD5=00B94F495BD57E421FEF46D7A1EECF44,SHA256=3C1C7F8A819B758DAD75031F99AEF06C94B418FA2FC199F82BFAE815483E11C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.976{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A4E61E50-3EF0-4DA6-8275-CD489D676DAB}MD5=2BA0F2705632CB30D7BCA6DF8D087F2D,SHA256=7E47070E9ED1DFB752DD755B918F943B0B231C0885F55DF05EE82470595E3022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.974{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9D07DE99-52F7-454A-8CE6-31DA9AA94ED8}MD5=9456CEECAC6A1245C482C3B82593846D,SHA256=963DE82340F63CFB27DFDD15CD5643FE93D6C0AADB0B96B7923F0E23815F10CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.972{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{98C2D61D-6107-43E9-BCD8-6EB83D77ADEF}MD5=60FFAC14CA2196E3D54342C4C45F7C2B,SHA256=9979DFF1E142B348644E5C7735FCD13D8871408DCF4E0913D9FD9A3EC8436C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.970{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9485A429-81C2-4352-A24F-92682A765D4B}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.968{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8D75FAE0-23F9-47DE-A54A-C2427D45DCAC}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.966{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8AB7F553-0827-496F-B610-82D31E06AC96}MD5=A2C26EBC40D4625D952314673C6141E9,SHA256=902AC55382C57835ED2151549B7D12211436E67A63B3B0E44FB384A661228729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.965{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891D5E7A-7A57-4CBF-9089-443EE49B6103}MD5=911DEFC897CECC2D0C78E5B96D5D515B,SHA256=965BD9A6F5738140EB5A51EFBC44129112C25FC82825BA7F30113602A6E8C902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.962{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891649DE-3DE4-49E5-90AC-0987EA95353B}MD5=05F75F6404996B3E39476104E78DF209,SHA256=1E4258113A2D151783ADB9D626D38E7F67CFAB9C79FE14B27E07170081D145C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.960{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{84B49252-6DEC-40A8-90BE-86AE577E1B23}MD5=55F95E08D08A7A3768F27800D9217B04,SHA256=37F9BC821FDE92326D617E96AA6ADB2DBE7EB2666B1A88451F9410B80A774377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.958{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{829BE0F1-69E1-42FD-A3B6-359E1C3C1345}MD5=B467C6E316631A8A0420CB9F40222D93,SHA256=55336E857424336DBC05D5B2B96AEAAE4D296B1D6D5B031A5869B25143624085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.956{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{80A3BBAD-ABC2-4C9D-86E6-B04FA287F655}MD5=4174344A2D19128BADE81E2EB14BDC1D,SHA256=FC6C1C04EE333CB336B7DC428C25B995F7B85F49ADBDC88EBC7262C1307885FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.954{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{74B164BF-3E71-46AF-8ACB-AAA4A76A5378}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.952{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{735E8BE6-1731-42CA-A8F3-B53E930EDCDB}MD5=18E3CA8C6CCA69E00EC76747FAB81F0B,SHA256=08148891128E558A6C3CD3EEEE68457F3D1A10F1A2720DE0A4E27D1543A4F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.949{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{72CE2732-257D-4200-8BC3-7ABC84224683}MD5=854754F8D9E7F7D9AAF2FA7F6BE1A1EF,SHA256=E6F4EFACF3E1CAD20C8245C7B9408E2BE2C2D6FD70B781F48A4BA22F067ED731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.947{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D1CC60E-42DB-4A1B-A50C-DC1DF51BFBF1}MD5=5E74B43DD59C1AB6F5244DA6154DDEB4,SHA256=DB8971C2F98690196197BC5A5875D3233E0FBC7B512BFA60659E67D5296FE080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.945{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6A253CE4-5CE2-4926-BF13-2F00787D2097}MD5=D9E99905D3D6FB42429AAF5DE84FCADA,SHA256=B8359F6E6BC9E16731B65A9F8253C86E846E9C1F951B1351CBD649FA6E286BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.943{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{552E6613-D145-4B51-A24E-3C8B003E24A4}MD5=C359A6183B25EF8221256AFEDCE656B8,SHA256=E9122C2C02DEBBB1AFF1FBFE30465AFAA0CFBD4EAE9C10AEA58A6663DEE9EE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.942{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.dbMD5=A7F8296CDC5152AB7651B283020EEE4F,SHA256=8A553E97AE3298F7478DF69DF7F5AB092CA144143ED387C935A84306F41DBCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.941{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{526402D0-291F-4761-931C-0273D14B2CF0}MD5=0CE681BD1598F07606E87609151DC42A,SHA256=1334CF9557C973A9F6AF7280C8C165C434A24947DE6E1647B27E62CB822FF31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.939{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4FC5BD42-2CCF-4A96-AD8E-C83520ADB20F}MD5=922CD9F5F7320A813B0DAC1080EB7709,SHA256=346145F9100D8CA04CE7FC277D8775DF500D1FD1995F6CE28BBEEF685DFF04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.937{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4E171B62-A785-4231-B14E-626B192185F0}MD5=0796DDBF4C9B9D94DC5FD03E92485F28,SHA256=DBC10BA43AA770F1D3A36F7CAC2B50AE664804F28214B792E3C56266D7E8F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.935{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CC3BE49-DBA3-470D-94C8-20CE40F2BCAA}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.933{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CA8F3BE-4DEC-4028-BAEF-6491FC4270C3}MD5=68F587A5B93845BD54716A6C6C932688,SHA256=3A319B5FA81F068C11959C024D08DADF279A00CA5C6B8C3F574C4DB64822AD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.931{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4975E0B9-496B-4FF0-BC0E-1E06B22BDD96}MD5=C8B4FC8B8745BDE84005D690D3A026B2,SHA256=8779E3A2B6294AED675906209B8CD86FE1A79E0D3770AED38600278C29E6E55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.929{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{48A82B41-50A4-42D7-B403-B5D5FC29426F}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.927{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3F7F98FC-AA70-447B-8115-EB5A44909800}MD5=F4AF1310D8D92B88BAB00ECA2F49C398,SHA256=3130C6EC89917106856DA972EA6157791A6F8DD405164F86B7EF73F849A158DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.925{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3A0E2E7D-9FED-42CB-8877-33CF7980ECDA}MD5=544AC2AEF10A0AAC6646D5D372CC839A,SHA256=E402AAF80000D1AE4C9C731B2D45E9E1D707C1F9ED0935EF065968C47306E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.923{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{38A89348-B3AE-479E-9816-8957D41F333A}MD5=7E65C5A57A575C58A5405595565EA22E,SHA256=9FA31C4A02F57CEF0DE517567F7D218DA51B530A387E6198F25B60967C43AEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.921{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{33E693A3-517A-4347-A45E-3E8F1A25B030}MD5=1A1A2950F1D4A9770DF78E6CD2BCACC2,SHA256=28EA58D31BC5379C5760FC79481AFFAD0E1A132AAC6C794D8C849D6BDED9AE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.919{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3039DC32-E634-4F64-AD60-9038F8E7D74E}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.916{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{2D2370BB-9EFA-4648-B021-63A266D97A51}MD5=B590C6A1DBD4BAE99FED3744E0898536,SHA256=FEA47174536A406B031F040F394417218427405C4EB30558D6126A1AA79F6005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.914{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{24A5753E-C22E-49F4-BC08-F780BC6B1286}MD5=F3EFEAA4A73DB4D7D39C729FDE3305A7,SHA256=8C33FC0D66799635812F0F5F96B35C699ACAC5753DB1FFA89DA9520C81CAE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.911{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1F6412A2-2B23-4074-A89D-9586B3CFBF11}MD5=9A987ABDC3B59D4D4E488190C758BC8A,SHA256=F9B1BF1FC533A009213B23911DBA90DF8E914BB93C458D7A86C89D8546AE1FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.909{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1CC42A14-06FE-4766-987D-39817BF3005F}MD5=3700764E031A12B2220A2C082EF7BBBE,SHA256=A772660D39E4150FB6017A0FDBDE096EB17128774678A018BFFEDCDB507101F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.906{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{19AC3423-5AC0-4CD7-9E2B-DB6C0DECE3C4}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.904{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{03152E59-DE8A-4AF5-8757-7FF15DC09A3C}MD5=25917526232EBDB7DE54634BFB5E6A33,SHA256=467251FCB3C564947AA615B69ECFC765763BBAA61B47CA13FD1895307E30125E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.894{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=A98EF91236D0A680740A3C0F10937087,SHA256=660FDBEDE1BFFF4F5F322F2DD862445A2BE9101828A32013843E5F6E0320D804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.892{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=CDD4A14258DC43D22C37F1E721AEC245,SHA256=0D9E19723D9ED66DD13CB8657808963130BAD94249F03228CCC68BB32FC360C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.888{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\appcache[1].manMD5=9C09D8D73BB5BB4E83BE6D75D117BCDA,SHA256=F34BC09B3486A486AABF2BE3A3E6728A5FCD17821CAF41CFAC78CE85A63C6AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.885{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=F98851A644D901C32D1152CF001C2A30,SHA256=8A450F4631B7F451F470B7E7EF723A872C962749001C75AB1E9A01FC2765766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.878{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=5B7A3FBF6CE7627737B7AE8F7F73AF2B,SHA256=E5C8A584A8EF5082455DF1B7D986CDF9160F0A5AFA0EC6FD360EAAB9A1A8C5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.875{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=FF638505C57813F0F9115CB2F853BC07,SHA256=18695997D547308B565AA0D9AC8FDF8981966A47AF431DCC943BCC882AB6ECB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.872{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=E68A5D04BF606560BDC326154A025956,SHA256=C32FBB255C914DA8336038933E799C5FEC8D50A0661B78DAB9E312131E7B7637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.870{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=10D7D30E23DBC108EC78C03F9E741566,SHA256=99355DBE0DDE1F5390AF8BA6FEB736E85B00C13E8D08B560DFE2D7EC5465E8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.868{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D20D4B52F55421E4F0EE293FA394F274,SHA256=6594DB803F6BEAC699E3B4FE1BFFF9F1A6C8B7D1CB43A9A92A7D6979EE62B9ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.865{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=766B33AB225A94D22C45803D32D1D2C4,SHA256=8BF750226E7E4720AFCD86820D0752946ABB11DB79EF62AFFA61EEC941AB5C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.862{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=6B559E6B268CC53FC0293A706E970550,SHA256=9179C223831AE54A2A21E24B1BDBD1D06C00098FA2A664F476756CEFA56C71E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.859{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=87C5803AC86277335317BEEC5B252EF0,SHA256=8F7211EC0F4E0532DB653FECB4F605EB4C3C6C9879B138185DB4AAF7245646BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.855{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=1DE957E6ECB8E53F1849E98E56D5D8F8,SHA256=D60A1010C3D82CAABA7C755C3A6423D7A268BCDC9EA4F27B10E8E14FD84ACD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.851{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=A6A758B9A843A9AE35166154D051C654,SHA256=59BEC20EBDB4ABAD19803E90044333A5781C755A3DDC0663A4A95E88AA0F45DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.839{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=4EA6D9CCAE439451E3EDC69589C21F52,SHA256=115EE9EFD86B0AB505977609DBC1409CAD55275ED187667B37C1F7453406AA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.832{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=7F25769992DF13C241A1F14C72781B7F,SHA256=C3F1170A49C7EE2CF721D222FA1F766543D0F69BBCB35BFA2C64453025365DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.826{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D2ECB824C1EBD5CAD726A8FA730F83BD,SHA256=9BA9C472659B68EC59A470063958FCF4C1B9F95670B884F95FF690DA601CADA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.817{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=91784C62BBC0181E5D1A1939D62C7576,SHA256=7C5953F43236E76AD1EABF5FB4E75FDC98F73A7686BFF5C023843D16A53C2CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.814{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=E15FA9A83F9216A78A5E4AE2C2C08305,SHA256=65E0957B6D224D885497EE696AA97F94FE98D8BFBBD4F927508ABD645A4182BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.812{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=83CDB65FC5E3B9880848CA153945CD99,SHA256=E2E2AC74937053440DD9592C7CC1619F3290A042838C9922D69E1B5BFF985B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.810{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=94E8C0A2D77D4C6A4CC2AA5D6D71B3FC,SHA256=F0E0AA4CBFFAC78A340ADD726D7D94A090CE6D8E6DEFBC9673531B4E5053B05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.808{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=3F65ED27EE681BC5D4F69A5C271DB6A1,SHA256=63828079B72050681B6811C4AA76A79CF8FB5F51E04B1596DBD761007BFC829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.805{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=006B1BF929F2A82B7AD00727A9F1623C,SHA256=A9F72540A0C0F03453F87AC641EB31BF401D6BE7A92F4615E9C49C7725BC3427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.803{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=203D482240E2A13DE24F8F82A9037348,SHA256=5B64FA6B42BE7F59D4D48C4C85ED73B9311003133E8F02F04AE6FA198CD81ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.801{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\appcache[1].manMD5=5F027173844AA0ED63AE4AC12D3B615C,SHA256=72ADFCEA238F8F0B956A60BED2C609F825973CA4D52B5D92E3D41C51E15B40DF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.789{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 23542300x800000000000000021819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.782{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6C3B67519DBB4B3095356EB4988896,SHA256=B759423473CE88A3BB6A9298304B095E8AB385344D6F1BAE65582E26F0D45992,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.569{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49842-false104.18.32.68-80http 354300x800000000000000021817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.490{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49841-false172.64.155.188-80http 13241300x800000000000000021816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.776{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A4E9092F-98BB-4051-B124-FE07C2EBC1BB}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000021815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.775{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6AFE5822-6E2F-49F4-9F85-072D775D281D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000021814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.774{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F921AE17-E466-4A25-B133-65E2683EB60B}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x800000000000000021813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.773{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{07C9571C-F575-4074-8A7E-48F50EBE90AA}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 23542300x800000000000000021812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.751{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.binMD5=2477E1067EE108D32AA262307A357732,SHA256=C1A0FD9DA6CCA70C5D69C4E62FBDC08EBABCEAB018611E869B6F78EBABE9E640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.749{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.binMD5=1454E96AC56B9536AB32CCA75F5E5D45,SHA256=9568E2708BEE9FE90D3D981F9D52415DED574A95BF9525EEE961A2467C9F5325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.726{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=08D33FDECF9DFDB3AAA55E46F4DDF872,SHA256=8890B44AAD4579F4798FAE71AF174F6AA9BF78A2556F77174D8B4E457E600EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.724{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=134B2FB2E7188ED9BB83131C1F4907FC,SHA256=1D1EC260A84B289FDCEA6A538DE14870922F2FEDE4B45E10E138F239A8353562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.719{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\855533271\3923659455.priMD5=2D61605026CA74ED5301578606464552,SHA256=84019A9745D574D378277A1084C237265451F0C45196348372A715711610EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.717{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\3339743440\902793749.priMD5=98C999EAE532EE8FCB19ED482C1C0B6B,SHA256=081F850F71892C895B1808104D3C2B5293448F0F6B9E5003FD1D69DF5BD8E8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.715{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.714{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:09.720{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894E24FD5E9873E8D7D1784E76741C0A,SHA256=315938DD94ADA6AAA27095865C946F4A976333F762946F9178B5AB149B3258DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.714{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.713{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.713{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.712{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.704{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.704{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.704{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.703{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.703{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.703{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.703{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.702{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.702{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.702{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.702{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.701{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.701{2EF863A9-992A-63CF-1100-00000000B202}9361324C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1501-00000000B202}4676C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.701{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1501-00000000B202}4676C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.700{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.700{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.699{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.699{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.699{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C02141FFD8364B2363A9BBE59AC903,SHA256=ECCFBC1D99CE2635FB403167726065C0F94FE16AA04029C274B2A65B0179A4C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.690{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.689{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.689{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.689{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.689{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.689{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.688{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.645{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFD-63CF-1501-00000000B202}4676C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.645{2EF863A9-9BFB-63CF-0901-00000000B202}5283160C:\Windows\Explorer.EXE{2EF863A9-9BFD-63CF-1501-00000000B202}4676C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+552294|C:\Windows\System32\SHELL32.dll+551cf0|C:\Windows\System32\SHELL32.dll+551e64|C:\Windows\System32\SHELL32.dll+1f044d|C:\Windows\System32\SHELL32.dll+9fce9|C:\Windows\System32\SHELL32.dll+b68e1 154100x800000000000000021772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.645{2EF863A9-9BFD-63CF-1501-00000000B202}4676C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\explorer.exeC:\Windows\Explorer.EXE 13241300x800000000000000021771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.629{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2245655832-1998535435-1064043650-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x800000000000000021770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.628{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2245655832-1998535435-1064043650-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 10341000x800000000000000021769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.621{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.621{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.621{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 23542300x800000000000000021766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.620{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI20F5.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.619{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.619{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.618{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.618{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000021761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.618{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 23542300x800000000000000021760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.615{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI20F5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.607{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.607{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.606{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI20D4.tmpMD5=F6CB11A54A4C0FF683235C9DFC4453C0,SHA256=136469B55B9174CE1C71BCBE815BC667925ECFE85F128903433C9D6FFA289A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.606{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.599{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exeHKU\S-1-5-21-2245655832-1998535435-1064043650-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 23542300x800000000000000021754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.590{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI20D4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.587{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.586{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.586{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI20C4.tmpMD5=F6CB11A54A4C0FF683235C9DFC4453C0,SHA256=136469B55B9174CE1C71BCBE815BC667925ECFE85F128903433C9D6FFA289A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.585{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.585{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.583{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.583{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.579{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.578{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.578{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.577{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.577{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.577{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.577{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.577{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.576{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.576{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.576{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.575{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.575{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI20C4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.569{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2094.tmpMD5=F6CB11A54A4C0FF683235C9DFC4453C0,SHA256=136469B55B9174CE1C71BCBE815BC667925ECFE85F128903433C9D6FFA289A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.569{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.569{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.567{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.567{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.566{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.566{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.566{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.566{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.565{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.544{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.543{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.539{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.539{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.538{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.523{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2094.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.522{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.522{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.521{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.521{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.521{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.521{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2083.tmpMD5=F6CB11A54A4C0FF683235C9DFC4453C0,SHA256=136469B55B9174CE1C71BCBE815BC667925ECFE85F128903433C9D6FFA289A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.521{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.520{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.517{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.513{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.512{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.512{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.512{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.512{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.512{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.511{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.509{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.509{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.509{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2083.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.509{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.509{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.509{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.508{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.508{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C18299BEA84C10FBDE1C4C1D7955B2,SHA256=A7DACA61E86C6E7B17EC87EE4A3C5673BDFEE3DE7436992DB3AE0E206971F60C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.508{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.506{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2073.tmpMD5=F6CB11A54A4C0FF683235C9DFC4453C0,SHA256=136469B55B9174CE1C71BCBE815BC667925ECFE85F128903433C9D6FFA289A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.503{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.503{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.503{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.503{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.503{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.502{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.493{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.492{2EF863A9-9BFD-63CF-1401-00000000B202}4636WIN-HOST-CTUS-A\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGI2073.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.491{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.475{2EF863A9-992A-63CF-1100-00000000B202}936344C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.475{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.470{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.461{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.453{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.453{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.452{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.452{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.452{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.452{2EF863A9-9BF7-63CF-F500-00000000B202}25923620C:\Windows\system32\csrss.exe{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.452{2EF863A9-9BFB-63CF-0901-00000000B202}5283160C:\Windows\Explorer.EXE{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+552294|C:\Windows\System32\SHELL32.dll+551cf0|C:\Windows\System32\SHELL32.dll+551e64|C:\Windows\System32\SHELL32.dll+1f044d|C:\Windows\System32\SHELL32.dll+9fce9|C:\Windows\System32\SHELL32.dll+b68e1 154100x800000000000000021671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.452{2EF863A9-9BFD-63CF-1401-00000000B202}4636C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000021670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.450{2EF863A9-9BFB-63CF-FE00-00000000B202}952948C:\Windows\System32\RuntimeBroker.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000021669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.450{2EF863A9-9BFB-63CF-FE00-00000000B202}952948C:\Windows\System32\RuntimeBroker.exe{2EF863A9-9BFB-63CF-0001-00000000B202}3480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000021668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.449{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.448{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.448{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.448{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.448{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.447{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.447{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000021661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.422{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnk2023-01-18 16:10:31.991 23542300x800000000000000021660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.422{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnkMD5=859920D477EE7ED0174243DFF586E5E3,SHA256=1F8B2760E210762D02665D55224973A3EE73E43B7E0F5398AF35E86861B7CB50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.421{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.421{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.420{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000021656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.412{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnk2023-01-18 16:10:31.991 23542300x800000000000000021655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.411{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnkMD5=D5CF13D810C697DFC19F42E6D44FE391,SHA256=CDE1DBC52A9ED24304BE4A6EB10EBDD3C80F7016F136519CA3504F04539988E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.385{2EF863A9-9BFC-63CF-0B01-00000000B202}41764204C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.379{2EF863A9-9BFC-63CF-0B01-00000000B202}41764216C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.374{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76DE8FEC6403C7642AC399991EEE0FA,SHA256=409D45E792E7438FA393872494A5DAA66EE78F687EFB283395048B7E55412B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.374{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFb1ff6.TMPMD5=81EDC1C0ACC5AC901E127979074B8CF9,SHA256=24BF11E37F44049541968DFB22EACA57F4CFEC98AA106EE063E93E42F9AA4586,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.366{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.366{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.365{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.363{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.363{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.363{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.363{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.355{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.353{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.353{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.353{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.352{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.352{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.346{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.346{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.346{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.346{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.346{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.345{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.345{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.345{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.345{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.344{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.344{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.344{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.344{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.338{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.337{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.337{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.336{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.335{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.332{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.332{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.332{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.331{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.331{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.331{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFb1fa8.TMPMD5=29A8AC35CA9A36C90900C3E920D06D44,SHA256=45CBDF705EB656CF35B8F15103E52C69AEA98F827D38082D1D3523EF51E58574,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.331{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.331{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD03F53BC5E7D2E513276B390F024831,SHA256=9718CDEE46FEA1A15F016ED21B0F8F99F9C51CB204E3499627BA8DD173C0B713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.331{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.329{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.329{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.328{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.328{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.328{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.327{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.326{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.326{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.326{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.326{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.325{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.325{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.323{2EF863A9-992A-63CF-1100-00000000B202}936344C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.320{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.313{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.285{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.281{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.281{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.281{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.281{2EF863A9-9BF7-63CF-F500-00000000B202}25923092C:\Windows\system32\csrss.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.281{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.281{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.280{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.280{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.279{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.279{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.275{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.275{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.275{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.274{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.274{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.274{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.274{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.273{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.272{2EF863A9-9BF9-63CF-FA00-00000000B202}34602248C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 10341000x800000000000000021567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.272{2EF863A9-9BFC-63CF-0B01-00000000B202}41764288C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+15830f|c:\windows\system32\appxdeploymentserver.dll+ae5a4|c:\windows\system32\appxdeploymentserver.dll+929c4|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.272{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 10341000x800000000000000021565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.270{2EF863A9-9BF9-63CF-FA00-00000000B202}34602248C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe{2EF863A9-9BF9-63CF-F900-00000000B202}2976C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9 13241300x800000000000000021564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.266{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000021563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.264{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.264{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.264{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.264{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.264{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.263{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.263{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.261{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.261{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.260{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.260{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.260{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.260{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.260{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.259{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.257{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.257{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.257{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.257{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.257{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.257{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFC-63CF-0D01-00000000B202}4328C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 13241300x800000000000000021542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.257{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{65460DDA-C7E7-4A9E-A536-BD0CCA3F792A}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 10341000x800000000000000021541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.255{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.255{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A69ED25D-368F-48AB-A058-3E243ABE01EA}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 10341000x800000000000000021539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.255{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.255{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.255{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.255{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.254{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.254{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B76C0619-95BE-4AA3-A76F-AFE8BFED3D65}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x800000000000000021533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.254{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.253{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.253{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.253{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFb1f79.TMPMD5=6B8140980857C86A0E56A9FE5928725A,SHA256=A17340757236B8247F247AF10781E2BFE78A86EF2379EC34B45D50A64A7CD2B4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.253{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8DB40801-2438-4CBF-9240-58FFADBA8CF6}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 10341000x800000000000000021528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.252{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.252{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.252{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1D857CFD-70FA-4F39-A932-E29F9F3300BF}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x800000000000000021525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.251{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E8733C54-1A65-46E3-BBA4-762B71BAAD40}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000021524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.250{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{63DBFAD3-A7A2-45D6-AC4D-2E5D141B607D}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000021523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.249{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{845A2A60-2AC3-4E7C-B94C-898498D584FB}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x800000000000000021522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.248{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CD3AAC06-6FCD-4049-8853-76AC739600BA}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 10341000x800000000000000021521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.245{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.244{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.244{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.243{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.242{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.242{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.242{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.235{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.235{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.234{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.233{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.233{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.233{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.225{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.225{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.224{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.224{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.224{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.223{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.219{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.204{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 23542300x800000000000000021500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.202{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RFb1f4a.TMPMD5=57C8DE404373BAB54B89C2A0ECCF9335,SHA256=7CA76F0B9AA808D1DA2527809CD29B30406335BA27C408BBD39175F423F6DD8D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.199{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{11C74FB6-F0F3-4B3E-B347-654A9F924046}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000021498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.198{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{1616D551-2504-47E0-9776-BCC484E74E41}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000021497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.197{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A000C571-191A-4218-AB1F-0B8DC6A19F89}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000021496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.196{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{35EE74F0-31BC-44D2-8B76-5D0F8E04C86D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000021495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.195{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{138340F2-C3F9-4756-8647-61F894A7315F}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000021494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.194{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{70F68333-1C78-46DC-8AE9-B54EF16D3A22}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000021493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.193{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{33925AA6-F10C-4578-A530-7A405FEC8646}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000021492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.192{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4D6E1C94-E7CE-44B5-B379-F28F8BD47127}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x800000000000000021491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:09.191{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{BBFCE7F5-B9FC-4BFA-A37F-7C66F0F98D2D}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 10341000x800000000000000021490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.184{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.184{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.183{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.183{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.182{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.182{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.178{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.178{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.178{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.177{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.177{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.177{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.177{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.176{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.176{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.176{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.175{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.175{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.173{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFb1f2b.TMPMD5=CE4EA1958BD7A54E6FFE7BD3A599A642,SHA256=6672E28A3AD07202118B42BBAC559D6A65AF8B3829B7AEB2F18B3EB70027DEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.167{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.166{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.166{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.166{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.166{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.165{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.165{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.162{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFb1f2b.TMPMD5=595763DFD2DAB977091A843EBCF1164F,SHA256=C7A2B95661E15C18F8407CD81FBDE33356781C26DF3C60ED914AC534D35CEF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.157{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.154{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D8B6E313DF10ED3733D86E5CEADD26,SHA256=AB40FDA714E1F8A21DA134FDB0FF53B42D3F8B5173A506D47FFE385AF87C59EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.152{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RFb1f1b.TMPMD5=DADFF5A5756573645ADC5785A8099647,SHA256=CCF4C19E821EBC9A362A58A3B6CCC2B03674297D1777C6036A83EDF672C16A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.142{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFb1f0b.TMPMD5=D252F6F15CAEDF365FE2BA1989DBE20F,SHA256=82FB3B41C3D72F27391B1D27B42C99932F26CF5C6E817B65AF5AAD293BC24ACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.133{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.132{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.132{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.131{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.131{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.131{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.131{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.130{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.127{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.127{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.127{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.126{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.126{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.126{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.125{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.125{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.125{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.125{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.124{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.124{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.116{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.116{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.116{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.115{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.115{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.115{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.115{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.082{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.082{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.081{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.081{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.076{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.075{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.075{2EF863A9-9BFC-63CF-0B01-00000000B202}41764204C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.074{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.065{2EF863A9-992A-63CF-1100-00000000B202}936344C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1101-00000000B202}4512C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.065{2EF863A9-992A-63CF-1100-00000000B202}9361140C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1101-00000000B202}4512C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.059{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.049{2EF863A9-9929-63CF-0500-00000000B202}3963600C:\Windows\system32\csrss.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.048{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.041{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.041{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.041{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.040{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-1D00-00000000B202}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.039{2EF863A9-9BF7-63CF-F500-00000000B202}25923032C:\Windows\system32\csrss.exe{2EF863A9-9BFD-63CF-1101-00000000B202}4512C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.039{2EF863A9-9BFB-63CF-0901-00000000B202}5283160C:\Windows\Explorer.EXE{2EF863A9-9BFD-63CF-1101-00000000B202}4512C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+552294|C:\Windows\System32\SHELL32.dll+551cf0|C:\Windows\System32\SHELL32.dll+551e64|C:\Windows\System32\SHELL32.dll+1f044d|C:\Windows\System32\SHELL32.dll+9fce9|C:\Windows\System32\SHELL32.dll+b68e1 154100x800000000000000021412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.033{2EF863A9-9BFD-63CF-1101-00000000B202}4512C:\Windows\System32\unregmp2.exe12.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\WIN-HOST-CTUS-A\Administrator{2EF863A9-9BFA-63CF-B276-110000000000}0x1176b22HighMD5=0AFAF8B10C3D2B009DED280C875EA3EA,SHA256=CFC5A8170AF2CCB8F846BA738E5173596A4C35C023BCE5E6EB04E07779283188,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x800000000000000021411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.012{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.012{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.009{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.008{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.008{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.008{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.008{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.007{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.007{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.001{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.000{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.000{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.000{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.999{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:08.999{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9A9D-63CF-AD00-00000000B202}2272C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:06.642{DAC7F284-9944-63CF-7100-00000000B102}3372C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local60736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:10.814{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345FEFF301A3EEF4EDCD44744BC4F924,SHA256=E08C526E8460DABF3D7DDB31E2A88D0BB8048B9156FE2631894868DE701A99DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.982{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.982{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.981{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.968{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.968{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.968{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.968{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.968{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.967{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.967{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.959{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.959{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.958{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.958{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.957{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.957{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.957{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.957{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.956{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.956{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.952{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.952{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.952{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.952{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.951{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.951{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.941{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\MiracastView\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.940{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654A93450B4384091B87438812A3238F,SHA256=8CF9DB34B10DD45C4AFC3871A069F99E029FE5187DE6B64CE3DD1C76562FF509,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.939{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.939{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.939{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.939{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.939{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.938{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.938{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.930{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.929{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.929{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.929{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.929{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.929{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.929{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.926{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.926{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.926{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.925{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.925{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.925{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.919{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.919{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.914{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.914{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.914{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.914{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.914{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.913{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.903{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.888{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.887{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.887{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.887{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.887{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.887{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.886{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.885{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000022375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.880{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B2F246D7-8FF6-43A2-B24A-75977C3EF17A}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000022374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.879{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{30995BC6-30FA-424C-AEE3-015630744928}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x800000000000000022373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.878{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FD166D3E-8CA4-4F83-9F57-EC9AADBB8EC3}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 13241300x800000000000000022372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.877{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E907178A-A043-4FF3-AEB2-CC8E4DF06455}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x800000000000000022371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.862{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.862{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.861{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.861{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.849{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.849{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.848{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.848{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.847{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.847{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.845{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.845{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.845{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.844{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.844{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.844{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.844{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.844{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.843{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.843{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.843{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.843{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.838{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.838{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.837{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.837{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.837{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.837{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.836{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.836{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.817{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.817{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.817{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.816{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.816{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.816{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.816{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.812{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.812{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.811{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.810{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.809{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.809{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.809{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.809{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.809{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.808{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.807{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.806{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.806{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.806{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.806{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.805{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.805{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.801{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ECACC5901CDFA8AF9DBAED452A5FE6,SHA256=9F4E3FEC6B664BFEC417DC4A5E954FB9FEDD1911466252FB4480B134D511E836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.801{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.801{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.800{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.800{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.800{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.799{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.791{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.786{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.603{2EF863A9-9BFB-63CF-0601-00000000B202}3108C:\Program Files\Aurora-Agent\aurora-agent-util.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49844-false82.165.105.236update-201.nextron-systems.com443https 354300x800000000000000022307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:09.505{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-249.us-east-2.compute.internal49843-false13.91.16.69-443https 13241300x800000000000000022306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.779{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 13241300x800000000000000022305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.775{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{44DFE49A-EFE8-47F3-A8CA-D4E9C0039DD2}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x800000000000000022304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.774{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C892D2F8-9A1D-4A12-963D-5AEE4152F044}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 10341000x800000000000000022303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.768{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.768{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.768{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.768{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.768{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.767{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.767{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.759{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.759{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.759{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.759{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.758{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.758{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.758{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.756{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.756{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.756{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.755{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.755{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.755{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.755{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.755{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.751{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.750{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.750{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.750{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.750{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.750{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.742{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.742{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.742{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.741{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.741{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.740{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.740{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.738{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.738{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.737{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.737{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.737{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.737{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.736{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.736{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.736{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.736{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.736{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.735{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.730{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.730{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.730{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.730{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.730{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.729{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.729{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.715{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000022248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.710{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FED3A3DD-02D7-4367-8BB1-0CFA1E66A1B1}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x800000000000000022247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.709{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{62E3F589-AA68-445F-9C9A-E2CCD5248526}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 10341000x800000000000000022246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.708{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.708{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.707{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.693{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.684{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.682{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.682{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.681{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.680{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.679{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.679{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.675{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.675{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.675{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.674{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.674{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.674{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.674{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.674{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.674{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.673{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.673{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.673{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.667{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.667{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.667{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.667{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.666{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.665{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.665{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.660{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCE97FB3DA9BA28B8B832956D2DC873,SHA256=6B59B8AE8E22CCC144BCBF17B29C8EA2B0793CA3FD0EE5B5F562FFFD41CAC92C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.659{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.658{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.658{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.658{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.658{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.657{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.657{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.645{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.645{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.644{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.644{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.644{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.644{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.643{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.643{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.643{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.642{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.639{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.639{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.639{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.639{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.638{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.638{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.628{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.622{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.622{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.622{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.621{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.621{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.621{2EF863A9-992B-63CF-2100-00000000B202}15002844C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012880A90) 10341000x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.617{2EF863A9-9BFC-63CF-0B01-00000000B202}41764204C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.599{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.598{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.598{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.598{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.598{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.598{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.597{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.591{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.591{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.591{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.590{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.590{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.590{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.590{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.588{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.588{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.588{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.587{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.587{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.587{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.587{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.584{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 10341000x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.582{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.581{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.581{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.581{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.581{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.580{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.579{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{084D3F47-4BA2-4268-B212-519349689982}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.578{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{57A14B72-B134-469C-B970-D2AA5CFD4CCE}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.577{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{401510FF-CC08-478A-9577-A2AD669A4FA8}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.576{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{155B6049-C0EE-4B13-92D1-9BAF459264BC}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 23542300x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.571{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.559{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.546{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.546{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.545{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.545{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.543{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.543{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.539{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.539{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.539{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.538{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.538{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.538{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.538{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.538{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.537{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.537{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.537{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.537{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.536{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.531{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6F684525-0D45-4DDA-8832-98C2D36101A5}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.531{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.531{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.530{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.530{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3094ACF5-22FE-406A-A9C8-F2902F91BC12}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 10341000x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.530{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.530{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.530{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.529{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.529{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{141B052F-4E95-489A-ACCD-A6969C273072}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.528{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{80BD7C0F-AACD-49D7-BBCA-57D78A2389FB}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 23542300x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.523{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE28B809074D108BD02F16499BF77B1,SHA256=2E7B68207E983CC3992BFFD8A92D5D9B3FA6A9FA108E1B2A6D37B5E3ABAFA95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.506{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.505{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.505{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.504{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.494{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.494{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.493{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.492{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.491{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.491{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.486{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.486{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.486{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.485{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.485{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.485{2EF863A9-992A-63CF-0C00-00000000B202}716848C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.484{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.483{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.483{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.479{2EF863A9-9BFC-63CF-0B01-00000000B202}41764204C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.476{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.476{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.475{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.475{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.475{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.475{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.474{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.453{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.452{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.452{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.452{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.452{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.451{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.451{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.447{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.447{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.446{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.444{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.444{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.444{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.444{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.444{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.443{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.443{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.441{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.440{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.440{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.436{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.436{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.436{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.436{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.435{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.435{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.429{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BA322AC31D0F6DE4F976E3DF5F7E2378,SHA256=97309A6A30FB4C5B220779A61C4E67B03CF08A7A7C7A9FBC39FB0AF8FBC659BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.426{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.419{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.396{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.396{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.396{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.395{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.395{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.395{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.395{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.390{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.387{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.387{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.387{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.387{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.387{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.386{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.386{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.385{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{397EC30C-D43B-4ECD-B269-DFE896E43434}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.384{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E2F45DBD-36C1-4FCA-B7C8-451AC032E418}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.384{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.384{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.383{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.383{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{EEBE05F7-245E-4EE7-82F0-88A61AABF43A}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.383{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.383{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.383{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.382{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{19AA407F-6B1B-4FB0-91F8-CF8681B9E626}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.382{2EF863A9-992A-63CF-0C00-00000000B202}7164744C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.379{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E14744F267FB936D986568C7E1ED53,SHA256=68F71D7FC5953BDC92C84134A8A0FD714ADCCBA470EC1902B5DF60D5EBB95007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.364{2EF863A9-992A-63CF-0C00-00000000B202}716760C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.364{2EF863A9-992A-63CF-0C00-00000000B202}7163668C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.363{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.363{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.363{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.363{2EF863A9-992A-63CF-0C00-00000000B202}716924C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.361{2EF863A9-992A-63CF-0C00-00000000B202}716752C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.361{2EF863A9-992A-63CF-0C00-00000000B202}716748C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.361{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.361{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.361{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.360{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.360{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.352{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3C89A7A5D3785F0C875D969E444F58,SHA256=0DED57A43847112AC2E077A035B30DA27B189F07B47D995D0EEDFE1A8C6A9068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.341{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.246{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.246{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.246{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.245{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.245{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.245{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1301-00000000B202}4608C:\Windows\system32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.216{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.216{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.215{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.214{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.213{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.213{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.210{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.209{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.209{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.208{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.207{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.207{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.201{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.201{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.201{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.200{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.200{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.200{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.200{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.177{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.176{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992B-63CF-2000-00000000B202}1112C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.175{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-2245655832-1998535435-1064043650-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.165{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-2245655832-1998535435-1064043650-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 13241300x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.144{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{A3C95122-4F12-4DD7-8EAB-076A5619CE68}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 13241300x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.143{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{14C24A6A-3FD0-4483-92E1-D3C452C3E488}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.142{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C2966CCB-679E-4250-9E8E-2696DAF34ABD}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.142{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6FFB0BDE-A15C-49C8-91E7-57317D26C697}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.141{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4B31C56C-1427-4614-A1CD-F1862CF1B297}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.140{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F9F8BF05-BC35-4BC4-B00D-731D2AE0375B}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.140{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{BBAE2DA8-7C25-4303-866C-1478957DB6F4}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.139{2EF863A9-9BFC-63CF-0B01-00000000B202}41764208C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0A01-00000000B202}2932C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.139{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{62224BBA-A900-432F-A46B-A5CA912C8396}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.138{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{27747433-7F20-4457-9091-7AED1837900D}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-SetValue2023-01-24 08:51:10.137{2EF863A9-992A-63CF-1400-00000000B202}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B5EA4427-AB05-497E-9AB4-D832EA8A03F6}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-2245655832-1998535435-1064043650-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.118{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.118{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.118{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.117{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.117{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.117{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.117{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.113{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2MD5=F045C633B9340D27547D12EECC7EE0B9,SHA256=9D04CBA5F699DF1AD06BC5541F85917A856292F181493393EC89EBF2980A1B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.111{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=CD0B1FDF28910E391492F4807B474473,SHA256=EF923067C3091E773EB086A786D5E2FCA53B01EE8CE0A2EEB6704C85935CD2F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.108{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.108{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.108{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.datMD5=9C746CF42DB3B621537D8310CE3D4BE1,SHA256=52D93909D30105CE61FB14BD32AC9473BC627199AA83808B337F6D874CC46FDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.108{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.108{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.108{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.107{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.107{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.105{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.105{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.104{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.104{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420250026721327.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.104{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.104{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.104{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.103{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.101{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420249992652675.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.099{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.099{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.098{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.098{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.098{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.097{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFC-63CF-0B01-00000000B202}4176C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea5f|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.096{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingssynonyms.txtMD5=9239D33BCC9C55C4D97DCAE64A7E2F5B,SHA256=D147C9B76ACC226324DEF206D680C3368109018BE254FD1399C8E2ED2C3D77E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.092{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsglobals.txtMD5=D2D6B108ED635B192276F2E13160BB9F,SHA256=598A2674BE811C1256B0E18311CE5CBA2A542D0965FF4A0AC96173CE78A4C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.087{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.087{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.078{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.schemaMD5=AC68AC6BFFD26DBEA6B7DBD00A19A3DD,SHA256=D6BDEAA9BC0674AE9E8C43F2E9F68A2C7BB8575B3509685B481940FDA834E031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.074{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.csgMD5=A97FD910ECCB1049B949DF2B6D0EA605,SHA256=B84B14439AD5607B15A96B922CD63EA6C8CB1281BF3B84037C5CE90FBEB29766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.072{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appssynonyms.txtMD5=E86D86E41327A21E2448076DD6C97A81,SHA256=A3DC890A9E3D99D3336455F0CFD94ACCAAD69242D0A1C8649AC82B8E1F8BB6FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.068{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsglobals.txtMD5=5925E930562DA940101DE785C1CBC5B3,SHA256=B6C3C8B85CECB5743E5A62C706152F83606B5690F0926B5CC16D29CBFE3ED39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.057{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.055{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.schemaMD5=1659677C45C49A78F33551DA43494005,SHA256=5AF0FC2A0B5CCECDC04E54B3C60F28E3FF5C7D4E1809C6D7C8469F0567C090BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.054{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.csgMD5=FB7202F6D377FD89C7B261E34D680D33,SHA256=839D24F509CA8BF8737074BF42E83A88A32EE3760BD34BBA2A7CF6CF482A1C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.051{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.048{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2BA13206EC7D2123C27175FE44F1B306,SHA256=DB8F5777024078B07353044C364F37C23E4B633B9D2B9420A65E52C728BC56D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.046{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.044{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.042{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.040{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.039{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.036{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.032{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.029{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.028{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.028{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.028{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.027{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.027{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 10341000x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.027{2EF863A9-992B-63CF-2100-00000000B202}15002800C:\Program Files\Aurora-Agent\aurora-agent.exe{2EF863A9-9BFD-63CF-1201-00000000B202}4552C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012DA6190) 23542300x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.026{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.025{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.024{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.019{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FEEDCB9B-F3C5-495B-A8D7-84F79D27D88E}MD5=9FCDA9AF0663B95421B2DF4DF2E1B9D4,SHA256=B3003B1A6220FA0F3390E2F297DFA4209C45C3D8FB9B55ABBA2507792720A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.012{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FE283CE6-7678-4BF6-BD45-D855B6683130}MD5=3E30C6D0FC6DB0EE27A19FCF25DF566B,SHA256=EA12C2CD052FE46441BCC9C4FB81D9D52C1FEE3AEE762C09EB2FE34D19B1D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.010{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E79AFC5E-81E0-48C0-B2B8-B0755C4E824D}MD5=8571A37EA5341C6306283678D6D7B3F7,SHA256=DA51B889B504FE15B3526AA6A87A4A9843989F4EB6D32CFB205861A223030B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.008{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E46F3460-B4C6-40F2-9BF2-B4D9A4F6ED86}MD5=DB04268CDC55A7FE26A2F145F86BF875,SHA256=CFACBA24A15CFB163790F9C67CDB2B2CC82CE006B9E32AC8687DBFC7DB69B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.006{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E28967A0-A00F-44F4-BEB5-D1DC1F682F91}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.004{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E1C5F6E0-5D96-4432-9C54-B630B005F17D}MD5=A220E6F69189C7C262EA46B8EE8E6FE4,SHA256=556020DC6EFBDBF8054FAEEE15519516CBF2B11904D5AF9E04D041D7480BCA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.002{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{DE7873BF-B56F-4465-AA14-AD810677CFF1}MD5=5E62597AD6E77746796E3B8571490D14,SHA256=45FB70B917C807BEFD513465866C4D27A4E869DA31182CDCF6D314DF224EB651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:10.000{2EF863A9-9BFC-63CF-0B01-00000000B202}4176NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D7779C65-D55A-4E6E-AB28-222AD101D61C}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:08.025{DAC7F284-9939-63CF-2F00-00000000B102}2808C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-759.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A59889- 10341000x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.999{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.994{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.993{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.983{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.983{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.978{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.960{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.950{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FB63069430892B8F328E36058EC6E9,SHA256=003AEAEDE47BD94FE6FA03FF8823B9137826B88923D37F9A971BD9FF4E0C626E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.948{2EF863A9-9BFB-63CF-0901-00000000B202}528WIN-HOST-CTUS-A\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.946{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.946{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.945{2EF863A9-992A-63CF-0C00-00000000B202}7164444C:\Windows\system32\svchost.exe{2EF863A9-992A-63CF-1100-00000000B202}936C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.892{2EF863A9-9BFB-63CF-FE00-00000000B202}952900C:\Windows\System32\RuntimeBroker.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.892{2EF863A9-9BFB-63CF-FE00-00000000B202}952900C:\Windows\System32\RuntimeBroker.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.888{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.885{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.882{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.871{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.858{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.846{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.837{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.829{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.818{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.815{2EF863A9-993E-63CF-7400-00000000B202}3608NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1387428C6EEDCE6696771B605512C83E,SHA256=F0AAA0E3222CD71DDE74D7D8CFA6BBA148991401B2CDDB7C3F991C30005F21A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.807{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.797{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-759.attackrange.local-2023-01-24 08:51:11.902{DAC7F284-994B-63CF-7B00-00000000B102}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCABD541E9D49B6797FF6DE17A8B4E8,SHA256=0627803A8CC91C63E1D8ABC41E9E1ECD298E54241C97E29B2809C7C875EFC71C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.789{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.780{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.771{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.760{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.751{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.742{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.732{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.725{2EF863A9-9BFB-63CF-0901-00000000B202}5284984C:\Windows\Explorer.EXE{2EF863A9-9BFF-63CF-1701-00000000B202}4932C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.725{2EF863A9-9BFB-63CF-0901-00000000B202}5284984C:\Windows\Explorer.EXE{2EF863A9-9BFF-63CF-1701-00000000B202}4932C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.723{2EF863A9-9929-63CF-0B00-00000000B202}616692C:\Windows\system32\lsass.exe{2EF863A9-9BFB-63CF-0901-00000000B202}528C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.721{2EF863A9-9BFB-63CF-0901-00000000B202}5284984C:\Windows\Explorer.EXE{2EF863A9-9BFF-63CF-1701-00000000B202}4932C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.720{2EF863A9-9BFB-63CF-0901-00000000B202}5284920C:\Windows\Explorer.EXE{2EF863A9-9BFF-63CF-1701-00000000B202}4932C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.714{2EF863A9-9BFB-63CF-0901-00000000B202}5284920C:\Windows\Explorer.EXE{2EF863A9-9BFF-63CF-1701-00000000B202}4932C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-249-2023-01-24 08:51:11.714{2EF863A9-9BFB-63CF-0901-00000000B202}5284984C:\Wi