10341000x80000000000000004511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.363{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.347{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.331{7C68B4B2-7DF8-635A-1500-000000008B02}10362516C:\Windows\System32\svchost.exe{7C68B4B2-7DF9-635A-2500-000000008B02}2692C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1033a|C:\Windows\system32\wbem\wbemcore.dll+2d14f|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.331{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF9-635A-2500-000000008B02}2692C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.314{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF9-635A-2500-000000008B02}2692C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.314{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF9-635A-2500-000000008B02}2692C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.299{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.283{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.267{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-2100-000000008B02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.267{7C68B4B2-7DF7-635A-0A00-000000008B02}6241796C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-2100-000000008B02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.651{7C68B4B2-7DF8-635A-2100-000000008B02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 17141700x80000000000000004451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-CreatePipe2022-10-27 12:47:53.267{7C68B4B2-7DF8-635A-1500-000000008B02}1036\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\System32\svchost.exe 10341000x80000000000000004450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.252{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1E00-000000008B02}1904C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.252{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.252{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.221{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.221{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.221{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.221{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.190{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF9-635A-2400-000000008B02}2528C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.185{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF9-635A-2400-000000008B02}2528C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.185{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF9-635A-2400-000000008B02}2528C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.184{7C68B4B2-7DF9-635A-2400-000000008B02}2528C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000004439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF4-635A-0200-000000008B02}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2300-000000008B02}2352C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.130{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2300-000000008B02}2352C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2000-000000008B02}2036C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2000-000000008B02}2036C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1D00-000000008B02}1896C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1D00-000000008B02}1896C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1C00-000000008B02}1888C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1C00-000000008B02}1888C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1B00-000000008B02}1880C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1B00-000000008B02}1880C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2200-000000008B02}1684C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2200-000000008B02}1684C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2100-000000008B02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-2100-000000008B02}1228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0F00-000000008B02}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0F00-000000008B02}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.129{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF4-635A-0200-000000008B02}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF4-635A-0200-000000008B02}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.128{7C68B4B2-7DF8-635A-1E00-000000008B02}19041908C:\Program Files\Aurora-Agent\aurora-agent.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|C:\Program Files\Aurora-Agent\aurora-agent.exe+d99fb0 10341000x80000000000000004371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.124{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1E00-000000008B02}1904C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.094{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-2300-000000008B02}2352C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.094{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-2300-000000008B02}2352C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.057{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2022-10-27 12:47:53.057 10341000x80000000000000004367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.057{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.057{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.057{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000004364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.057{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000004363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.057{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000004362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.057{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000004361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.057{7C68B4B2-7DF8-635A-1400-000000008B02}7001616C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x80000000000000004360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.057{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.057{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.041{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000004357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.041{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000004356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:53.041{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x80000000000000004355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:53.041{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.962{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-2300-000000008B02}2352C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.946{7C68B4B2-7DF8-635A-1400-000000008B02}7001600C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x80000000000000004332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.946{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c57) 10341000x80000000000000004331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.930{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.915{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000004320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF8-635A-1500-000000008B02}10362060C:\Windows\System32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF8-635A-1500-000000008B02}10361088C:\Windows\System32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF8-635A-1500-000000008B02}10362060C:\Windows\System32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF8-635A-1500-000000008B02}10361088C:\Windows\System32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.915{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.909{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.905{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\samsrv.dll+376b|C:\Windows\SYSTEM32\samsrv.dll+3457|C:\Windows\SYSTEM32\samsrv.dll+337c|C:\Windows\SYSTEM32\samsrv.dll+32fe|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.904{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\samsrv.dll+376b|C:\Windows\SYSTEM32\samsrv.dll+3605|C:\Windows\SYSTEM32\samsrv.dll+35a3|C:\Windows\SYSTEM32\samsrv.dll+33c6|C:\Windows\SYSTEM32\samsrv.dll+32eb|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.904{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\samsrv.dll+3e49|C:\Windows\SYSTEM32\samsrv.dll+3c53|C:\Windows\SYSTEM32\samsrv.dll+32bf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.890{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.889{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.889{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.889{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.888{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.887{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.886{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.886{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.886{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.886{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.814{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.814{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.810{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.809{7C68B4B2-7DF7-635A-0A00-000000008B02}624724C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1D00-000000008B02}1896C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.807{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.807{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.806{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.806{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1E00-000000008B02}1904C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.806{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.806{7C68B4B2-7DF7-635A-0A00-000000008B02}624948C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1E00-000000008B02}1904C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.561{7C68B4B2-7DF8-635A-1E00-000000008B02}1904C:\Program Files\Aurora-Agent\aurora-agent.exe1.1.0Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=9D3844E10A3CE66C9908670A31F7A58A,SHA256=F82C65314FAFE8E350188953B877147874AD4D2631F1A89686B0DDB8DC583BE2,IMPHASH=FC1DA3B0A7ACFED2DD9996A75A66EF91{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.804{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.804{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.800{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.800{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.773{7C68B4B2-7DF8-635A-1400-000000008B02}7001548C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.771{7C68B4B2-7DF8-635A-1400-000000008B02}7001548C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.765{7C68B4B2-7DF8-635A-1500-000000008B02}10361300C:\Windows\System32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.732{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-2200-000000008B02}1684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.732{7C68B4B2-7DF7-635A-0B00-000000008B02}632672C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.732{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.717{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1D00-000000008B02}1896C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.717{7C68B4B2-7DF7-635A-0A00-000000008B02}624708C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1D00-000000008B02}1896C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.554{7C68B4B2-7DF8-635A-1D00-000000008B02}1896C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=44E0D0EF8358B0E2803F39CC6E50B238,SHA256=FF2A83B54F5380B2004807FE8BADD3E90EEB17DDD2C012C7E12A5D1C5EB3A1A7,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 644600x80000000000000004260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:48.670C:\Windows\System32\drivers\ena.sysMD5=65A3B3392440F3A0D5C872E0A2BC60D2,SHA256=D43D6DDFDC6038FE22A8ED708AD1C19FAF080C939E34D4E826B7F65948E8F9E1,IMPHASH=6FFD351A81BB8A4D4E0238012A115086trueAmazon Web Services, Inc.Valid 13241300x80000000000000004259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.717{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000004258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.717{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000004257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.717{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.717{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.685{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.685{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.670{7C68B4B2-7DF7-635A-0A00-000000008B02}6241832C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.670{7C68B4B2-7DF8-635A-1400-000000008B02}7001548C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.670{7C68B4B2-7DF8-635A-1400-000000008B02}7001548C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.670{7C68B4B2-7DF8-635A-1400-000000008B02}7001548C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.654{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000004248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.623{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-2000-000000008B02}2036C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.623{7C68B4B2-7DF8-635A-1500-000000008B02}10361580C:\Windows\System32\svchost.exe{7C68B4B2-7DF8-635A-2000-000000008B02}2036C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.607{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.607{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.607{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.607{7C68B4B2-7DF7-635A-0A00-000000008B02}624724C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.607{7C68B4B2-7DF8-635A-1F00-000000008B02}1996C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0A00-000000008B02}6241816C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1C00-000000008B02}1888C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0A00-000000008B02}6241016C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1B00-000000008B02}1880C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1B00-000000008B02}1880C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.591{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.576{7C68B4B2-7DF7-635A-0A00-000000008B02}6241804C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.550{7C68B4B2-7DF8-635A-1A00-000000008B02}1872C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.576{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.576{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.576{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x80000000000000004225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1C00-000000008B02}1888C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.560{7C68B4B2-7DF7-635A-0A00-000000008B02}624288C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1C00-000000008B02}1888C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.554{7C68B4B2-7DF8-635A-1C00-000000008B02}1888C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1B00-000000008B02}1880C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0A00-000000008B02}6241812C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1B00-000000008B02}1880C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.545{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.545{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x0000028b) 13241300x80000000000000004204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.529{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000004203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.529{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000004202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.513{7C68B4B2-7DF7-635A-0A00-000000008B02}624948C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.513{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.513{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.498{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.498{7C68B4B2-7DF7-635A-0A00-000000008B02}624708C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.490{7C68B4B2-7DF8-635A-1800-000000008B02}1744C:\Windows\System32\spoolsv.exe10.0.14393.5356 (rs1_release.220906-1211)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=48B18DEA6BDDC1A22AD9EF16CE63A0A4,SHA256=E295AE0FC0EE67320590D8A49BC16054ACCB6E7BAF05DB531D10B0D6DB81A21C,IMPHASH=BDE05BF1A813EB07FFA212837CB0F528{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.498{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.482{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.482{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.482{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.482{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.482{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.451{7C68B4B2-7DF7-635A-0A00-000000008B02}624732C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.451{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000004188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.451{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.451{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.451{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.435{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.435{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.435{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000004180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.420{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000004176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.420{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000004175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.404{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{CDF9A172-6939-4CDF-99D6-082432755504}\DateLastConnectedBinary Data 10341000x80000000000000004171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.404{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.404{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.404{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.388{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.373{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000004149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.373{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.373{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.373{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.373{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.357{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.357{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.357{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.357{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.342{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.328{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x80000000000000004139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.328{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpGatewayHardwareBinary Data 12241200x80000000000000004138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.328{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpGatewayHardwareCount 12241200x80000000000000004137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.328{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpGatewayHardware 10341000x80000000000000004136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.310{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.310{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.310{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000004133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276T10532022-10-27 12:47:52.310{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x80000000000000004132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.295{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.295{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.295{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.279{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.279{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.279{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.279{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.279{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.248{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0F00-000000008B02}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.217{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.217{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.217{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.217{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.201{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.201{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.185{7C68B4B2-7DF7-635A-0A00-000000008B02}624972C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.185{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.170{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.170{7C68B4B2-7DF7-635A-0A00-000000008B02}624948C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1700-000000008B02}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.170{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x80000000000000004112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.170{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x80000000000000004111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.170{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x80000000000000004110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.170{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000004109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.170{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x80000000000000004108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.170{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x80000000000000004107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.154{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000004100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.154{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x80000000000000004099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.154{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000004098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.154{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000004097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.154{7C68B4B2-7DF7-635A-0A00-000000008B02}624948C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000004094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000004093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000004092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000004091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000004090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000004089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\AddressTypeDWORD (0x00000000) 13241300x80000000000000004088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\LeaseTerminatesTimeDWORD (0x635a8c08) 13241300x80000000000000004087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\T2DWORD (0x635a8a46) 13241300x80000000000000004086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\T1DWORD (0x635a8500) 13241300x80000000000000004085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\LeaseObtainedTimeDWORD (0x635a7df8) 13241300x80000000000000004084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\LeaseDWORD (0x00000e10) 13241300x80000000000000004083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpServer10.0.1.1 13241300x80000000000000004082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpSubnetMask255.255.255.0 13241300x80000000000000004081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpIPAddress10.0.1.15 13241300x80000000000000004080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpInterfaceOptionsBinary Data 13241300x80000000000000004079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpSubnetMaskOptBinary Data 13241300x80000000000000004078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpDefaultGatewayBinary Data 13241300x80000000000000004077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000004076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpNameServer10.0.0.2 13241300x80000000000000004075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x80000000000000004074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpDomainus-east-2.compute.internal 13241300x80000000000000004073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomainus-east-2.compute.internal 13241300x80000000000000004072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000004071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000004070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000004069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000004068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.138{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000004067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0A00-000000008B02}624708C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1600-000000008B02}1192C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000004061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000004060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\AddressTypeDWORD (0x00000000) 13241300x80000000000000004059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x80000000000000004058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\T2DWORD (0x00000000) 13241300x80000000000000004057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\T1DWORD (0x00000000) 13241300x80000000000000004056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\LeaseObtainedTimeDWORD (0x00000000) 13241300x80000000000000004055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\LeaseDWORD (0x00000000) 13241300x80000000000000004054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpServer255.255.255.255 13241300x80000000000000004053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpSubnetMask255.0.0.0 13241300x80000000000000004052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpIPAddress0.0.0.0 12241200x80000000000000004051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpInterfaceOptions 13241300x80000000000000004050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 12241200x80000000000000004049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpDefaultGateway 13241300x80000000000000004048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\Dhcpv6StateDWORD (0x00000001) 12241200x80000000000000004047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpSubnetMaskOpt 12241200x80000000000000004046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpDomain 12241200x80000000000000004045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x80000000000000004044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\DhcpNameServer 12241200x80000000000000004043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x80000000000000004042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{fd47dd4c-5336-4587-b19e-a9a1cefc7308}\Dhcpv6StateDWORD (0x00000000) 10341000x80000000000000004041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.123{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:52.107{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x80000000000000004037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.076{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.076{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.076{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0A00-000000008B02}624728C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0A00-000000008B02}624732C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.060{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.045{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.045{7C68B4B2-7DF7-635A-0A00-000000008B02}624948C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1500-000000008B02}1036C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.045{7C68B4B2-7DF7-635A-0A00-000000008B02}6241032C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0A00-000000008B02}624288C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000004020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.043{7C68B4B2-7DF8-635A-1400-000000008B02}700C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{7C68B4B2-7DF7-635A-E503-000000000000}0x3e50SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000004019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.029{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000004010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0A00-000000008B02}6241016C:\Windows\system32\services.exe{7C68B4B2-7DF8-635A-1300-000000008B02}752C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:52.013{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000004003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:51.935{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x80000000000000004002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.920{7C68B4B2-7DF7-635A-0E00-000000008B02}892408C:\Windows\system32\LogonUI.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.904{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000004000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.904{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.888{7C68B4B2-7DF7-635A-0A00-000000008B02}6241016C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.888{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0A00-000000008B02}6241016C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0A00-000000008B02}624972C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-1200-000000008B02}980C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0C00-000000008B02}736868C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.873{7C68B4B2-7DF7-635A-0B00-000000008B02}632716C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.857{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.857{7C68B4B2-7DF7-635A-0A00-000000008B02}624728C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-1100-000000008B02}956C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.857{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.857{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.857{7C68B4B2-7DF7-635A-0A00-000000008B02}624708C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.857{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF6-635A-0800-000000008B02}496592C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-0F00-000000008B02}912C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF6-635A-0500-000000008B02}416532C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF6-635A-0900-000000008B02}572880C:\Windows\system32\winlogon.exe{7C68B4B2-7DF7-635A-0F00-000000008B02}912C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.843{7C68B4B2-7DF7-635A-0F00-000000008B02}912C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{7C68B4B2-7DF7-635A-9BB6-000000000000}0xb69b1SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000003979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0A00-000000008B02}624724C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.845{7C68B4B2-7DF7-635A-1000-000000008B02}924C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{7C68B4B2-7DF7-635A-E403-000000000000}0x3e40SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000003977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0C00-000000008B02}736920C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF6-635A-0800-000000008B02}496512C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0C00-000000008B02}736900C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF6-635A-0900-000000008B02}572576C:\Windows\system32\winlogon.exe{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.842{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.840{7C68B4B2-7DF7-635A-0E00-000000008B02}892C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b40055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000003967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1d27e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.826{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.748{7C68B4B2-7DF7-635A-0C00-000000008B02}736780C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.748{7C68B4B2-7DF7-635A-0C00-000000008B02}736780C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.748{7C68B4B2-7DF7-635A-0C00-000000008B02}736780C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.748{7C68B4B2-7DF7-635A-0C00-000000008B02}736768C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9bf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.748{7C68B4B2-7DF7-635A-0C00-000000008B02}736772C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9bf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF7-635A-0C00-000000008B02}736840C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF7-635A-0C00-000000008B02}736840C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF7-635A-0C00-000000008B02}736840C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF7-635A-0C00-000000008B02}736840C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF7-635A-0C00-000000008B02}736840C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9bf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF7-635A-0C00-000000008B02}736840C:\Windows\system32\svchost.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.732{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x80000000000000003948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:51.701{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000003947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:51.701{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000003946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.670{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.670{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.654{7C68B4B2-7DF7-635A-0C00-000000008B02}736780C:\Windows\system32\svchost.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+46838|c:\windows\system32\rpcss.dll+7593|c:\windows\system32\rpcss.dll+74fe|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.638{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.638{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.638{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.623{7C68B4B2-7DF7-635A-0A00-000000008B02}624708C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.623{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.623{7C68B4B2-7DF7-635A-0A00-000000008B02}624628C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-0D00-000000008B02}788C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.623{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.623{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.592{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.592{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.435{7C68B4B2-7DF7-635A-0A00-000000008B02}624708C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.435{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.435{7C68B4B2-7DF7-635A-0A00-000000008B02}624628C:\Windows\system32\services.exe{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.437{7C68B4B2-7DF7-635A-0C00-000000008B02}736C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000003929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.420{7C68B4B2-7DF7-635A-0B00-000000008B02}632720C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.404{7C68B4B2-7DF7-635A-0B00-000000008B02}632688C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.404{7C68B4B2-7DF7-635A-0B00-000000008B02}632688C:\Windows\system32\lsass.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000003923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276T1101SetValue2022-10-27 12:47:51.404{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008) 10341000x80000000000000003922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.154{7C68B4B2-7DF7-635A-0B00-000000008B02}632636C:\Windows\system32\lsass.exe{7C68B4B2-7DF4-635A-0100-000000008B02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+5ac9c|C:\Windows\system32\lsasrv.dll+63e8f|C:\Windows\system32\lsasrv.dll+6f44e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+46b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.076{7C68B4B2-7DF6-635A-0700-000000008B02}488492C:\Windows\system32\wininit.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000003920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.060{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.060{7C68B4B2-7DF6-635A-0700-000000008B02}488492C:\Windows\system32\wininit.exe{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.074{7C68B4B2-7DF7-635A-0B00-000000008B02}632C:\Windows\System32\lsass.exe10.0.14393.4704 (rs1_release.211004-1917)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000003917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.029{7C68B4B2-7DF6-635A-0500-000000008B02}416432C:\Windows\system32\csrss.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.029{7C68B4B2-7DF6-635A-0700-000000008B02}488492C:\Windows\system32\wininit.exe{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000003915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:51.021{7C68B4B2-7DF7-635A-0A00-000000008B02}624C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000003914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.904{7C68B4B2-7DF6-635A-0600-000000008B02}480484C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.900{7C68B4B2-7DF6-635A-0900-000000008B02}572C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{7C68B4B2-7DF6-635A-0600-000000008B02}480C:\Windows\System32\smss.exe- 10341000x80000000000000003912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.888{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x80000000000000003911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:50.857{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-host-ctus-attack-range-276 10341000x80000000000000003910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.857{7C68B4B2-7DF6-635A-0400-000000008B02}408412C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.862{7C68B4B2-7DF6-635A-0700-000000008B02}488C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{7C68B4B2-7DF6-635A-0400-000000008B02}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d0 0000007c 10341000x80000000000000003908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.857{7C68B4B2-7DF6-635A-0600-000000008B02}480484C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.864{7C68B4B2-7DF6-635A-0800-000000008B02}496C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{7C68B4B2-7DF6-635A-0600-000000008B02}480C:\Windows\System32\smss.exe- 10341000x80000000000000003906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.857{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0600-000000008B02}480C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.857{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0600-000000008B02}480C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.858{7C68B4B2-7DF6-635A-0600-000000008B02}480C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{7C68B4B2-7DF4-635A-0200-000000008B02}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000003903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.841{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x80000000000000003902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:50.779{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x80000000000000003901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:50.779{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x80000000000000003900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:50.779{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000003899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:50.779{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x80000000000000003898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:50.779{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x80000000000000003897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.748{7C68B4B2-7DF6-635A-0400-000000008B02}408412C:\Windows\System32\smss.exe{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.751{7C68B4B2-7DF6-635A-0500-000000008B02}416C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{7C68B4B2-7DF6-635A-0400-000000008B02}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d0 0000007c 10341000x80000000000000003895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.638{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6ce4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000003894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.638{7C68B4B2-7DF4-635A-0200-000000008B02}320332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:50.650{7C68B4B2-7DF6-635A-0400-000000008B02}408C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{7C68B4B2-7DF4-635A-0200-000000008B02}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 644600x80000000000000003892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:49.857C:\Windows\System32\drivers\AWSNVMe.sysMD5=107A18FF866DABA3C1F81A513F134BD0,SHA256=90A15A7EF2AF4B0ECBB863C8F28F105DE8A0779357FBC68580550846F0B5674C,IMPHASH=38C42FFC959E42970135FFB1C392B14FtrueAmazon Web Services, Inc.Valid 13241300x80000000000000003891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.201{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x80000000000000003890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:49.201{7C68B4B2-7DF4-635A-0200-000000008B02}320324C:\Windows\System32\smss.exe{7C68B4B2-7DF5-635A-0300-000000008B02}364C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x80000000000000003889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:49.193{7C68B4B2-7DF5-635A-0300-000000008B02}364C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{7C68B4B2-7DF7-635A-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{7C68B4B2-7DF4-635A-0200-000000008B02}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000003888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000003887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000003886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000003885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000003884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000003883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000003882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000003881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000003880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:49.185{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 644600x80000000000000003879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-2022-10-27 12:47:48.357C:\Windows\System32\drivers\AWSNVMe.sysMD5=107A18FF866DABA3C1F81A513F134BD0,SHA256=90A15A7EF2AF4B0ECBB863C8F28F105DE8A0779357FBC68580550846F0B5674C,IMPHASH=38C42FFC959E42970135FFB1C392B14FtrueAmazon Web Services, Inc.Valid 13241300x80000000000000003878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.951{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000003877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.951{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000003876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.951{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000003875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.951{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000003874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.935{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x80000000000000003873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.935{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x80000000000000003872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.935{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x80000000000000003871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-DeleteValue2022-10-27 12:47:48.732{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x80000000000000003870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.732{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x80000000000000003869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.670{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000003868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.670{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000003867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.670{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x80000000000000003866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.670{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000003865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.638{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x80000000000000003864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.638{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x80000000000000003863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.576{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000003862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.576{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000003861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.576{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000003860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.545{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000003859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.545{7C68B4B2-7DF4-635A-0100-000000008B02}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000003858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-276-SetValue2022-10-27 12:47:48.545{7C68B4B2-7DF4-635A-0100-000000008B02}4System