10341000x8000000000000000515590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.419{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000515589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.419{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.404{5C0BDE06-1A79-634D-1500-000000008502}1036\Winsock2\CatalogChangeListener-40c-0C:\Windows\system32\svchost.exe 10341000x8000000000000000515582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.404{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.388{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000515565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.388{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000515564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.388{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.372{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.357{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x8000000000000000515546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardwareBinary Data 12241200x8000000000000000515545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardwareCount 12241200x8000000000000000515544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.357{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpGatewayHardware 11241100x8000000000000000515543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17T10532022-10-17 09:03:53.341{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x8000000000000000515542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.341{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000515540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.341{5C0BDE06-1A79-634D-1500-000000008502}1036\atsvcC:\Windows\system32\svchost.exe 10341000x8000000000000000515537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.341{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.310{5C0BDE06-1A78-634D-1000-000000008502}960\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x8000000000000000515532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.310{5C0BDE06-1A78-634D-1000-000000008502}960\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x8000000000000000515531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.294{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.279{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.263{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.263{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.232{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.216{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.216{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.216{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x8000000000000000515510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x8000000000000000515509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x8000000000000000515508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000515507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x8000000000000000515506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x8000000000000000515505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000515504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000515503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000515502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseTerminatesTimeDWORD (0x634d2889) 13241300x8000000000000000515501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T2DWORD (0x634d26c7) 13241300x8000000000000000515500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T1DWORD (0x634d2181) 13241300x8000000000000000515499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseObtainedTimeDWORD (0x634d1a79) 13241300x8000000000000000515498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseDWORD (0x00000e10) 13241300x8000000000000000515497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpServer10.0.1.1 13241300x8000000000000000515496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000515495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpIPAddress10.0.1.15 13241300x8000000000000000515494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000515493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMaskOptBinary Data 13241300x8000000000000000515492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDefaultGatewayBinary Data 13241300x8000000000000000515491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpNameServer10.0.0.2 13241300x8000000000000000515490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x8000000000000000515489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000515488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDomainus-east-2.compute.internal 13241300x8000000000000000515487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.200{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomainus-east-2.compute.internal 10341000x8000000000000000515486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.200{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000515481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.187{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.187{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x8000000000000000515469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000515466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000515465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000515464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000515463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x8000000000000000515462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T2DWORD (0x00000000) 13241300x8000000000000000515461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\T1DWORD (0x00000000) 13241300x8000000000000000515460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseObtainedTimeDWORD (0x00000000) 13241300x8000000000000000515459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\LeaseDWORD (0x00000000) 13241300x8000000000000000515458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpServer255.255.255.255 13241300x8000000000000000515457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMask255.0.0.0 13241300x8000000000000000515456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpIPAddress0.0.0.0 13241300x8000000000000000515455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\Dhcpv6StateDWORD (0x00000001) 12241200x8000000000000000515454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpInterfaceOptions 12241200x8000000000000000515453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDefaultGateway 12241200x8000000000000000515452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpSubnetMaskOpt 12241200x8000000000000000515451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpDomain 12241200x8000000000000000515450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x8000000000000000515449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\DhcpNameServer 12241200x8000000000000000515448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x8000000000000000515447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{116f43c7-1661-4e2c-a3d9-ea84c4d6fe8e}\Dhcpv6StateDWORD (0x00000000) 13241300x8000000000000000515446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.169{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000515442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.154{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000515438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.122{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.122{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.122{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.107{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.091{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.076{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.076{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.076{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0A00-000000008502}640740C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A77-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.060{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{5C0BDE06-1A78-634D-E503-000000000000}0x3e50SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0A00-000000008502}640704C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.044{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.029{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:52.997{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x8000000000000000515402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.982{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.982{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.919{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.919{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.904{5C0BDE06-1A78-634D-0E00-000000008502}904448C:\Windows\system32\LogonUI.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.888{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.888{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0A00-000000008502}640732C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.872{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A77-634D-0A00-000000008502}640740C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.857{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.843{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5C0BDE06-1A78-634D-E403-000000000000}0x3e40SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744952C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744952C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.841{5C0BDE06-1A78-634D-0C00-000000008502}744928C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.825{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0800-000000008502}512528C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0900-000000008502}588892C:\Windows\system32\winlogon.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.818{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{5C0BDE06-1A78-634D-FDB5-000000000000}0xb5fd1SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000515368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0800-000000008502}512616C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0900-000000008502}588592C:\Windows\system32\winlogon.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.817{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3be8055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000515365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1d27e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.810{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744864C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744864C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744864C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.732{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A78-634D-0C00-000000008502}744852C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.716{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000515346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:52.669{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000515345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:52.669{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x8000000000000000515344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.638{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.638{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.638{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46838|c:\windows\system32\rpcss.dll+7593|c:\windows\system32\rpcss.dll+74fe|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.622{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.607{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.607{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.576{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.560{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.529{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.529{5C0BDE06-1A77-634D-0B00-000000008502}648728C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.388{5C0BDE06-1A77-634D-0A00-000000008502}640736C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.381{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.372{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.341{5C0BDE06-1A77-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.341{5C0BDE06-1A77-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17T1101SetValue2022-10-17 09:03:52.341{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008) 10341000x8000000000000000515320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:52.044{5C0BDE06-1A77-634D-0B00-000000008502}648652C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+5ac9c|C:\Windows\system32\lsasrv.dll+63e8f|C:\Windows\system32\lsasrv.dll+6f44e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+46b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.951{5C0BDE06-1A77-634D-0700-000000008502}504508C:\Windows\system32\wininit.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.951{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.951{5C0BDE06-1A77-634D-0700-000000008502}504508C:\Windows\system32\wininit.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.955{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\System32\lsass.exe10.0.14393.4704 (rs1_release.211004-1917)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000515315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.904{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.904{5C0BDE06-1A77-634D-0700-000000008502}504508C:\Windows\system32\wininit.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.902{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000515312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.810{5C0BDE06-1A77-634D-0600-000000008502}496500C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.807{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe- 10341000x8000000000000000515310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.794{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000515309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.747{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-host-ctus-attack-range-17 10341000x8000000000000000515308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A77-634D-0400-000000008502}416420C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.739{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{5C0BDE06-1A77-634D-0400-000000008502}416C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000515306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A77-634D-0600-000000008502}496500C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.744{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe- 10341000x8000000000000000515304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.735{5C0BDE06-1A77-634D-0600-000000008502}496C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000515301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.732{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000515300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x6059456b) 13241300x8000000000000000515299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x8000000000000000515298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x8000000000000000515297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:51.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x8000000000000000515294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.576{5C0BDE06-1A77-634D-0400-000000008502}416420C:\Windows\System32\smss.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.577{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5C0BDE06-1A77-634D-0400-000000008502}416C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000515292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.466{5C0BDE06-1A74-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}416C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.466{5C0BDE06-1A74-634D-0200-000000008502}320412C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}416C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:51.475{5C0BDE06-1A77-634D-0400-000000008502}416C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000515289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.138{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x8000000000000000515288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:49.138{5C0BDE06-1A74-634D-0200-000000008502}320324C:\Windows\System32\smss.exe{5C0BDE06-1A75-634D-0300-000000008502}364C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000515287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:49.134{5C0BDE06-1A75-634D-0300-000000008502}364C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000515286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000515283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000515279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:49.122{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x8000000000000000515277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000515274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5eb5a92d) 13241300x8000000000000000515272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.904{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5eb5a92d) 13241300x8000000000000000515271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.895{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5eb446cf) 13241300x8000000000000000515270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.866{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x8000000000000000515269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.866{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x8000000000000000515268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.866{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x8000000000000000515267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x8000000000000000515266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x8000000000000000515265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e8f8374) 13241300x8000000000000000515264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.654{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e8f8374) 13241300x8000000000000000515263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000515260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.607{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.576{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000515258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.560{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000515257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.497{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000515256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.497{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000515255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.497{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000515254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000515252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMinorVersionDWORD (0x00000037) 13241300x8000000000000000515249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000515248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000515247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.466{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000515244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000515243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.451{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000515242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.341{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000515241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{89bc14aa-3f37-11ed-abb2-806e6f6e6963}#0000000000100000 13241300x8000000000000000515238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:48.185{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{89bc14aa-3f37-11ed-abb2-806e6f6e6963}#0000000000100000 434400x8000000000000000515235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-172022-10-17 09:03:54.627Started13.014.50 10341000x8000000000000000516351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.777{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.776{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.774{5C0BDE06-1A7B-634D-3A00-000000008502}29362840C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.775{5C0BDE06-1A7B-634D-3B00-000000008502}2824C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x8000000000000000516338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.770{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.768{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.766{5C0BDE06-1A7B-634D-3900-000000008502}29002892C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.767{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x8000000000000000516325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.763{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.762{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.762{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.761{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.760{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.760{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11e04|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.760{5C0BDE06-1A7B-634D-3900-000000008502}2900C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.728{5C0BDE06-1A7B-634D-3800-000000008502}15121204C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000516311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:55.499{5C0BDE06-1A79-634D-1E00-000000008502}1940\aurora-agent-pprofC:\Program Files\Aurora-Agent\aurora-agent.exe 17141700x8000000000000000516310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:55.499{5C0BDE06-1A79-634D-1E00-000000008502}1940\aurora-agent-statusC:\Program Files\Aurora-Agent\aurora-agent.exe 13241300x8000000000000000516309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:55.488{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\EventMessageFile%%SystemRoot%%\System32\EventCreate.exe 13241300x8000000000000000516308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:55.488{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\TypesSupportedDWORD (0x00000007) 13241300x8000000000000000516307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:55.488{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent\CustomSourceDWORD (0x00000001) 12241200x8000000000000000516306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteKey2022-10-17 09:03:55.487{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\AuroraAgent 17141700x8000000000000000516305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:55.486{5C0BDE06-1A77-634D-0A00-000000008502}640\Winsock2\CatalogChangeListener-280-0C:\Windows\system32\services.exe 10341000x8000000000000000516304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.482{5C0BDE06-1A77-634D-0A00-000000008502}6401816C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000516303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.482{5C0BDE06-1A79-634D-1E00-000000008502}1940NT AUTHORITY\SYSTEMC:\Program Files\Aurora-Agent\aurora-agent.exeC:\Program Files\Aurora-Agent\service-startup.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-3700-000000008502}27602792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.453{5C0BDE06-1A7B-634D-3800-000000008502}1512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x8000000000000000516289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.445{5C0BDE06-1A7B-634D-3600-000000008502}20361260C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.446{5C0BDE06-1A7B-634D-3700-000000008502}2760C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x8000000000000000516276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11a87|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.439{5C0BDE06-1A7B-634D-3600-000000008502}2036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.428{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.427{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.397{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000516260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.375{5C0BDE06-1A79-634D-1C00-000000008502}1880NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-029f5607e7f211fe9\channels\health\surveyor-20221017090354-000MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.360{5C0BDE06-1A7B-634D-3500-000000008502}30523056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.360{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.345{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.339{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.332{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.326{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.325{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.325{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.306{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.290{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.229{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.214{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.179{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.111{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.074{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.074{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.073{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.073{5C0BDE06-1A7B-634D-3400-000000008502}30323036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.073{5C0BDE06-1A7B-634D-3500-000000008502}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x8000000000000000516119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.066{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3300-000000008502}30163020C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.063{5C0BDE06-1A7B-634D-3400-000000008502}3032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x8000000000000000516115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11a26|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.056{5C0BDE06-1A7B-634D-3300-000000008502}3016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3100-000000008502}29842988C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.050{5C0BDE06-1A7B-634D-3200-000000008502}3008C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c sc.exe qc npcap 10341000x8000000000000000516080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.044{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.044{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.043{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.041{5C0BDE06-1A79-634D-1900-000000008502}17881792C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.041{5C0BDE06-1A7B-634D-2F00-000000008502}29642968C:\Windows\system32\cmd.exe{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A7B-634D-3100-000000008502}2984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c sc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 154100x8000000000000000516064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.042{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.039{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.038{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.036{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.035{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe508|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.035{5C0BDE06-1A7B-634D-2F00-000000008502}2964C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.018{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.018{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A77-634D-0A00-000000008502}6401832C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.002{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.991{5C0BDE06-1A7A-634D-2C00-000000008502}28602892C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.991{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.991{5C0BDE06-1A7A-634D-2A00-000000008502}28442848C:\Windows\system32\cmd.exe{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.985{5C0BDE06-1A7A-634D-2D00-000000008502}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x8000000000000000516014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.960{5C0BDE06-1A7A-634D-2C00-000000008502}28602892C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2852C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2852C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A7A-634D-2800-000000008502}28122816C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2852C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.946{5C0BDE06-1A7A-634D-2B00-000000008502}2852C:\Windows\System32\find.exe10.0.14393.0 (rs1_release.160715-1616)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXEfind "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=1E16116CCE7317C0E87559DA23A4EAD3,SHA256=40C0EC6D7371D316BC1F0ABE80D0236F613C9FB88DCE2D9B5D5FD4A1A59E8B49,IMPHASH=8227B3EA21F13E06E81C9AA2636A858A{5C0BDE06-1A7A-634D-2800-000000008502}2812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000516008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A79-634D-1F00-000000008502}19681972C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11ad65|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.944{5C0BDE06-1A7A-634D-2A00-000000008502}2844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.896{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2900-000000008502}2824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{00000000-0000-0000-0000-000000000000}28122816C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2824C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.893{5C0BDE06-1A7A-634D-2900-000000008502}2824C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query "HKLM\Software\WOW6432Node\Npcap" /ve C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5C0BDE06-1A7A-634D-2800-000000008502}2812C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000515992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A7A-634D-2700-000000008502}26042664C:\Windows\system32\wbem\wmiprvse.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\combase.dll+abdc2|C:\Windows\System32\combase.dll+acaee|C:\Windows\System32\combase.dll+ac8ff|C:\Windows\System32\combase.dll+2f278|C:\Windows\System32\combase.dll+2ee90|C:\Windows\System32\combase.dll+3be54|C:\Windows\System32\combase.dll+c2964|C:\Windows\System32\combase.dll+38f11|C:\Windows\System32\combase.dll+3a860|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+d5ff4|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b213|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000515990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.880{5C0BDE06-1A79-634D-1900-000000008502}17881792C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2812C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.885{5C0BDE06-1A7A-634D-2800-000000008502}2812C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 10341000x8000000000000000515987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.849{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.816{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.816{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.816{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.801{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.785{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.769{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.754{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.707{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:54.690{5C0BDE06-1A79-634D-1500-000000008502}1036\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x8000000000000000515869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.659{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.659{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A79-634D-1500-000000008502}10362540C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1033a|C:\Windows\system32\wbem\wbemcore.dll+2d14f|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.627{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.612{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.612{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.596{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.589{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000515855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.579{5C0BDE06-1A77-634D-0A00-000000008502}6401816C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.615{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x8000000000000000515852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000515851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000515850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000515849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000515848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.532{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000515846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x8000000000000000515845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.532{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x8000000000000000515844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.506{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.506{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.503{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1B00-000000008502}1872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1B00-000000008502}1872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.502{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.501{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.500{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.499{5C0BDE06-1A79-634D-1E00-000000008502}19401944C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000515770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.494{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000515769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.492{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2022-10-17 09:03:54.492 10341000x8000000000000000515768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.457{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.425{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0A00-000000008502}6401824C:\Windows\system32\services.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.410{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c10) 10341000x8000000000000000515738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000515724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361328C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361112C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361328C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A79-634D-1500-000000008502}10361112C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.394{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.393{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.393{5C0BDE06-1A78-634D-0C00-000000008502}744860C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.392{5C0BDE06-1A79-634D-1400-000000008502}10281724C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000515712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.392{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+35428|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.392{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.385{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c0f) 10341000x8000000000000000515709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.382{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}648724C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\samsrv.dll+376b|C:\Windows\SYSTEM32\samsrv.dll+3457|C:\Windows\SYSTEM32\samsrv.dll+337c|C:\Windows\SYSTEM32\samsrv.dll+32fe|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\samsrv.dll+376b|C:\Windows\SYSTEM32\samsrv.dll+3605|C:\Windows\SYSTEM32\samsrv.dll+35a3|C:\Windows\SYSTEM32\samsrv.dll+33c6|C:\Windows\SYSTEM32\samsrv.dll+32eb|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.381{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\samsrv.dll+3e49|C:\Windows\SYSTEM32\samsrv.dll+3c53|C:\Windows\SYSTEM32\samsrv.dll+32bf|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.363{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x8000000000000000515703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.355{5C0BDE06-1A7A-634D-2400-000000008502}23322364C:\Windows\system32\conhost.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.353{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x8000000000000000515701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.346{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.340{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.340{5C0BDE06-1A79-634D-1500-000000008502}10361736C:\Windows\system32\svchost.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.333{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.332{5C0BDE06-1A78-634D-0C00-000000008502}744780C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.327{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.327{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.325{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.324{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.323{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.323{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.318{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.318{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.292{5C0BDE06-1A77-634D-0A00-000000008502}6401824C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.278{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.275{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.270{5C0BDE06-1A79-634D-1500-000000008502}10361132C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.257{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.256{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.239{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.238{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.233{5C0BDE06-1A79-634D-1400-000000008502}10281520C:\Windows\system32\svchost.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.221{5C0BDE06-1A79-634D-1400-000000008502}10281660C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000515675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.219{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.200{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.130{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:54.129{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x8000000000000000515671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-DeleteValue2022-10-17 09:03:54.129{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x8000000000000000515670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.123{5C0BDE06-1A77-634D-0A00-000000008502}6401852C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.121{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.119{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:54.094{5C0BDE06-1A79-634D-1800-000000008502}1756\Winsock2\CatalogChangeListener-6dc-0C:\Windows\System32\spoolsv.exe 10341000x8000000000000000515666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.075{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.075{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.060{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.060{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:54.029{5C0BDE06-1A79-634D-1400-000000008502}1028\W32TIME_ALTC:\Windows\system32\svchost.exe 10341000x8000000000000000515661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.982{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.982{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.579{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe1.0.7Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=49DECA39E47E2CE4763AE97A807DD163,SHA256=3E6E4FB3B2A2C093D0C235736A7C31CD7EBE3EF9D15BE0602FC8CBBCAF0DA3D0,IMPHASH=6E0C98C468B7CCA0B81F6A50A530DE09{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.966{5C0BDE06-1A77-634D-0A00-000000008502}6401828C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.951{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.951{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.904{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.904{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A79-634D-1B00-000000008502}18721108C:\Windows\system32\conhost.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.888{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0A00-000000008502}640936C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.884{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.872{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.857{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000515638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.857{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000515637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.732{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.732{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.535{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=C54EE7993912F12A990D27C9BF8894C8,SHA256=AC1B7CBE413C5246B9A681CB975FF231204A740800A5555833B3E62952683157,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.700{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.700{5C0BDE06-1A77-634D-0A00-000000008502}6401832C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A77-634D-0A00-000000008502}6401824C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.552{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.669{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.654{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000515625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.607{5C0BDE06-1A78-634D-1200-000000008502}1020\trkwksC:\Windows\System32\svchost.exe 10341000x8000000000000000515624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.607{5C0BDE06-1A77-634D-0A00-000000008502}6401044C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.607{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x8000000000000000515622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.575{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.575{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1B00-000000008502}1872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0A00-000000008502}640368C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.534{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.544{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.529{5C0BDE06-1A74-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x00000285) 10341000x8000000000000000515609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.513{5C0BDE06-1A77-634D-0A00-000000008502}640944C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A79-634D-1500-000000008502}10361132C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1900-000000008502}1788C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.497{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.482{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.482{5C0BDE06-1A78-634D-0C00-000000008502}744776C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.482{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.466{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000515600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.466{5C0BDE06-1A77-634D-0A00-000000008502}640340C:\Windows\system32\services.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000515599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.464{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe10.0.14393.5356 (rs1_release.220906-1211)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=48B18DEA6BDDC1A22AD9EF16CE63A0A4,SHA256=E295AE0FC0EE67320590D8A49BC16054ACCB6E7BAF05DB531D10B0D6DB81A21C,IMPHASH=BDE05BF1A813EB07FFA212837CB0F528{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000515598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000515594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:53.451{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000515593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.451{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{BDB2D21F-838F-4EFA-9114-62C795BE4367}\DateLastConnectedBinary Data 13241300x8000000000000000515592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:53.451{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 17141700x8000000000000000515591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:03:53.451{5C0BDE06-1A79-634D-1500-000000008502}1036\SessEnvPublicRpcC:\Windows\system32\svchost.exe 354300x8000000000000000516491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.926{5C0BDE06-1A74-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal137netbios-ns 354300x8000000000000000516490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.926{5C0BDE06-1A74-634D-0100-000000008502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal137netbios-nsfalse10.0.1.255-137netbios-ns 354300x8000000000000000516489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:54.688{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:89bc:fcc:ffff-50205-truea00:10e:0:0:0:0:0:0-53domain 10341000x8000000000000000516488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.797{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.795{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+3462b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+153d1|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.794{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.762{5C0BDE06-1A7C-634D-4500-000000008502}30642840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000516474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:03:56.553{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000054c) 10341000x8000000000000000516473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.482{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.480{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+15392|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.479{5C0BDE06-1A7C-634D-4500-000000008502}3064C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.467{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.462{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A7C-634D-4300-000000008502}29362860C:\Windows\system32\cmd.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.461{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x8000000000000000516447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.457{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.455{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.454{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.454{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7B-634D-3A00-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116d5e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11389a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.454{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.414{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.396{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.396{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.384{5C0BDE06-1A7C-634D-4000-000000008502}17881108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.356{5C0BDE06-1A79-634D-1500-000000008502}10362540C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.344{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.331{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.330{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.328{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.327{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.210{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.210{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.206{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.190{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.186{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.183{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.183{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000516406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.174{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x8000000000000000516405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.100{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.094{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.093{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.092{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.091{5C0BDE06-1A7C-634D-3E00-000000008502}28042784C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.092{5C0BDE06-1A7C-634D-4000-000000008502}1788C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list watchdog --no-log 10341000x8000000000000000516391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.091{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.089{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.089{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.088{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.087{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.086{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.086{5C0BDE06-1A79-634D-1C00-000000008502}18802212C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+64d7e 154100x8000000000000000516378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:55.889{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=2680C09DDBD3B36FB9E1CA1BCC5CDCD6,SHA256=39896033C6C4FB84827E4CD1264241759BB38FC25C8CE110CF84D59C25517491,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x8000000000000000516377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.086{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.084{5C0BDE06-1A7C-634D-3D00-000000008502}29882984C:\Windows\system32\cmd.exe{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.085{5C0BDE06-1A7C-634D-3E00-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list watchdog --no-log 10341000x8000000000000000516365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.081{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.080{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.080{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.078{5C0BDE06-1A7B-634D-3000-000000008502}29762980C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+11f3c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+a7f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.079{5C0BDE06-1A7C-634D-3D00-000000008502}2988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7B-634D-3000-000000008502}2976C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x8000000000000000516352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.051{5C0BDE06-1A7B-634D-3B00-000000008502}28242888C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.995{5C0BDE06-1A7D-634D-4A00-000000008502}29882984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000516552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.170{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49677-false169.254.169.254-80http 354300x8000000000000000516551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.169{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49676-false169.254.169.254-80http 354300x8000000000000000516550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.167{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49675-false169.254.169.254-80http 354300x8000000000000000516549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.166{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49674-false169.254.169.254-80http 354300x8000000000000000516548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.162{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49673-false169.254.169.254-80http 354300x8000000000000000516547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.161{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-17.us-east-2.compute.internal49672-false169.254.169.254-80http 10341000x8000000000000000516546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.647{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.645{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A7D-634D-4900-000000008502}16082996C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.644{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x8000000000000000516533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.639{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.639{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.639{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.636{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.636{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+154e7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.637{5C0BDE06-1A7D-634D-4900-000000008502}1608C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.443{5C0BDE06-1A7D-634D-4800-000000008502}11082764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.146{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.143{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.142{5C0BDE06-1A7D-634D-4700-000000008502}28042808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.142{5C0BDE06-1A7D-634D-4800-000000008502}1108C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x8000000000000000516506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.137{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.136{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.136{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.136{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.134{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+154b3|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.135{5C0BDE06-1A7D-634D-4700-000000008502}2804C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.083{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7C-634D-4600-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:57.078{5C0BDE06-1A7C-634D-4600-000000008502}29842988C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000516716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:56.219{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1d86:8688:3088:5b16win-host-ctus-attack-range-17.us-east-2.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x8000000000000000516715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.893{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.892{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.891{5C0BDE06-1A7E-634D-4F00-000000008502}28082784C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.891{5C0BDE06-1A7E-634D-5000-000000008502}2840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x8000000000000000516702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.886{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.873{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.872{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.872{5C0BDE06-1A7E-634D-4E00-000000008502}11082764C:\Windows\system32\cmd.exe{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.872{5C0BDE06-1A7E-634D-4F00-000000008502}2808C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x8000000000000000516689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.867{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.866{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.866{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.864{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.864{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+15625|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.865{5C0BDE06-1A7E-634D-4E00-000000008502}1108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x8000000000000000516676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.789{5C0BDE06-1A7E-634D-4D00-000000008502}2988NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=15300FEF3E1C8844615AD2F0C722B08B,SHA256=D2E7AF8752D3526976E0566B0C1F2FA5A25A2D8FFF05D0F294C916BD54638498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.731{5C0BDE06-1A7E-634D-4D00-000000008502}29881612C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1325115|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.485{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4300-000000008502}2936C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.483{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.482{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.481{5C0BDE06-1A79-634D-1E00-000000008502}19402908C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C190) 10341000x8000000000000000516593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.436{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.435{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.433{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.429{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.429{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7D-634D-4A00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1557b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.430{5C0BDE06-1A7E-634D-4D00-000000008502}2988C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.364{5C0BDE06-1A7E-634D-4C00-000000008502}27642840C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.050{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.049{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.049{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.048{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.047{5C0BDE06-1A7E-634D-4B00-000000008502}19921792C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.047{5C0BDE06-1A7E-634D-4C00-000000008502}2764C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x8000000000000000516566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.043{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.040{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.039{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.039{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42b6c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42d38|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+42e07|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4393e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+10451|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1551b|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:58.039{5C0BDE06-1A7E-634D-4B00-000000008502}1992C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.929{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.928{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.928{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.928{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.927{5C0BDE06-1A7F-634D-5600-000000008502}3000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000516785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.680{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=15300FEF3E1C8844615AD2F0C722B08B,SHA256=D2E7AF8752D3526976E0566B0C1F2FA5A25A2D8FFF05D0F294C916BD54638498,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.604{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.603{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.603{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.601{5C0BDE06-1A7F-634D-5400-000000008502}27641108C:\Windows\system32\cmd.exe{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.602{5C0BDE06-1A7F-634D-5500-000000008502}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.2.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=8D6F818FECD4C69C51C197EDE916B4D1,SHA256=93B23F0D5DA9AE938E2984B6CDA793B83C1623C3633C7F4F62CDBD030629355B,IMPHASH=88D6255781D526DD9C6D614B7EA689F4{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x8000000000000000516771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.598{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.594{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+11572e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116d5e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1138cf|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.595{5C0BDE06-1A7F-634D-5400-000000008502}2764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000516758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.593{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=187E33D9B56F557FBE6F5D6435CCBD30,SHA256=CCE27D14D09DE791EB046BADB606438CBD915F60507810471DE5FC7D75790BE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000516757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.553{5C0BDE06-1A7F-634D-5300-000000008502}29841992C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.270{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.267{5C0BDE06-1A7F-634D-5200-000000008502}30002996C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+296c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2b38|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2f06|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+bdac|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.268{5C0BDE06-1A7F-634D-5300-000000008502}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x8000000000000000516743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.263{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.259{5C0BDE06-1A7F-634D-5100-000000008502}16122988C:\Windows\system32\cmd.exe{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.260{5C0BDE06-1A7F-634D-5200-000000008502}3000C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.2.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=337E4FC11773E1487D523D9AB465E05E,SHA256=ED4CB174BFB1452A370B95B117445FE15D35C5B387278120949810DD32B9FB6D,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x8000000000000000516730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.256{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.249{5C0BDE06-1A7C-634D-4400-000000008502}29002768C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+46426|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+34895|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+156ca|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4ff98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.250{5C0BDE06-1A7F-634D-5100-000000008502}1612C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A7C-634D-4400-000000008502}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x8000000000000000516717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:03:59.220{5C0BDE06-1A7E-634D-5000-000000008502}28403064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1325115|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1324c46|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11b53c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+11acdd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+1cc19c0|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.989{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.951{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.914{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.890{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.891{5C0BDE06-1A80-634D-5F00-000000008502}2784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.874{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.832{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.796{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.773{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.775{5C0BDE06-1A80-634D-5E00-000000008502}2840C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.763{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.716{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.682{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.668{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.671{5C0BDE06-1A80-634D-5D00-000000008502}2892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.637{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.589{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.558{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.560{5C0BDE06-1A80-634D-5C00-000000008502}2988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.542{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.507{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.467{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.454{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.454{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.453{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.452{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5B00-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.452{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.452{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.449{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.449{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.450{5C0BDE06-1A80-634D-5B00-000000008502}1984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.413{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.349{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.347{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.346{5C0BDE06-1A80-634D-5A00-000000008502}3004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.243{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.240{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.240{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.241{5C0BDE06-1A80-634D-5900-000000008502}2808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.139{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.138{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.137{5C0BDE06-1A80-634D-5800-000000008502}2936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.035{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.033{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.032{5C0BDE06-1A80-634D-5700-000000008502}1984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.984{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.934{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.889{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.844{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.808{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.752{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000516948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.751{5C0BDE06-1A79-634D-1F00-000000008502}19682928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+8974f2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+891c39|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88e15a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88dcb0|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+88daed|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a056b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7a77ce|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+783fe4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+785894|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+10aeb7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+114111|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1112c9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+fe6f1|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000516947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:00.999{5C0BDE06-1A80-634D-6000-000000008502}2984C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=B0EEDA46BB8CCD5FA6571045330B10BC,SHA256=DA61CF997DF9A045242CE0F4070302E135975E82D9AC8EFCA88C8818E578C679,IMPHASH=01B7D47D95694EF08C4D38972FE4BD1F{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000516946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.717{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.681{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.610{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.564{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.529{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.493{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.458{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.412{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.380{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.310{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.269{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.223{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.144{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.070{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:01.030{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.968{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.913{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.868{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.826{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.749{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.689{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.630{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.587{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.540{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.495{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.437{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.392{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000516971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-CreatePipe2022-10-17 09:04:02.379{5C0BDE06-1A77-634D-0B00-000000008502}648\Winsock2\CatalogChangeListener-288-0C:\Windows\system32\lsass.exe 10341000x8000000000000000516970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.335{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.289{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.191{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.077{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:02.021{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.954{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.954{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.953{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.951{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.951{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.872{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.870{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.870{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1A00-000000008502}1864C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.857{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.857{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.857{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1800-000000008502}1756C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1700-000000008502}1228C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.827{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1400-000000008502}1028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.826{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1300-000000008502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1200-000000008502}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.825{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.824{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.824{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.824{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1000-000000008502}960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.822{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.822{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.822{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0F00-000000008502}912C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.816{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.816{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.816{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0E00-000000008502}904C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.814{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.813{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.813{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0D00-000000008502}804C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.812{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.812{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.812{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-0C00-000000008502}744C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.806{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.805{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.805{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.798{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.798{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.797{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.777{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.777{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.777{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0900-000000008502}588C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.750{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.750{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.750{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0800-000000008502}512C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.749{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.749{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.748{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.721{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.721{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.721{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.716{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.716{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.716{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.703{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.702{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.702{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.700{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.700{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.700{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000516995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.533{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.486{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.411{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.370{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.331{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.295{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.251{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.207{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.163{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.113{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.070{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000516984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:03.026{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.080{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.077{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.077{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.025{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.025{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:04.025{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1C00-000000008502}1880C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.839{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.838{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.838{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.838{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.837{5C0BDE06-1A85-634D-6200-000000008502}32883292C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+5fc32|C:\Windows\System32\KERNELBASE.dll+5f7c6|C:\Windows\System32\KERNEL32.DLL+1bcc3|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+4b8b6b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+1fe749|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+201333|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+c41921|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.810{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exe1.55Npcap OEM 1.55 installerNpcap OEM--/winpcap_mode=no /no_kill=yes /SC:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=0FE4958B3C68EF3822F99F158FEA850C,SHA256=1F035C0498863B41B64DF87099EC20F80C6DB26B12D27B5AFEF1C1AD3FA28690,IMPHASH=DFB595641ED97366338A474595C7BE08{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" 10341000x8000000000000000517141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.805{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4200-000000008502}2820C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-4100-000000008502}2792C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.675{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.674{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.674{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.673{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.672{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=B0EEDA46BB8CCD5FA6571045330B10BC,SHA256=DA61CF997DF9A045242CE0F4070302E135975E82D9AC8EFCA88C8818E578C679,IMPHASH=01B7D47D95694EF08C4D38972FE4BD1F{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.667{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.666{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.666{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7C-634D-3F00-000000008502}1908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.485{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1E00-000000008502}1940C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000517114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:05.462{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bdb2d21f-838f-4efa-9114-62c795be4367}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x8000000000000000517113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:05.462{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bdb2d21f-838f-4efa-9114-62c795be4367}\LastProbeTimeDWORD (0x634d1a85) 10341000x8000000000000000517112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.435{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.435{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.435{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7B-634D-2E00-000000008502}2932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.433{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.433{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.433{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2700-000000008502}2604C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.411{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.411{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.411{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2600-000000008502}2568C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.403{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2500-000000008502}2388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.400{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.400{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.400{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2400-000000008502}2332C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.395{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.395{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.395{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A7A-634D-2300-000000008502}2324C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.384{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.384{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.384{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.383{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.382{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.382{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2000-000000008502}1996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.381{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.381{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.381{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.375{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.186{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=91261DAE701C5D2F316493FA46443AB6,SHA256=0478C1FD9B7A8B856396889776A603CA1AB393142563A9F8839FCE35A0CC4BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.182{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=8507ED253CBB324479714FAB6078930E,SHA256=DCD2E99AE97541686E94617FF449008D85C062BAB3EF3EEDBF87DA1A6C7FF583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.178{5C0BDE06-1A79-634D-1F00-000000008502}1968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=C77298FBE7F3A33235B80B3FCC293549,SHA256=AD0E00300857BBF6171F19E1FE483390BC91ACE0E4E8478C8123BFD897E6B674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.941{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.941{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.941{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.940{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.940{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.940{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.938{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.938{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.938{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.936{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A85-634D-6200-000000008502}3288C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.706{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.706{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0500-000000008502}424C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.695{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.694{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.694{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0700-000000008502}504C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.693{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.693{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.693{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.692{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.692{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.692{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.691{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.690{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.688{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.686{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.686{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.669{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.668{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.665{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A78-634D-1100-000000008502}1008C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.656{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.655{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.655{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.655{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.654{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.654{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.639{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.639{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.637{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.637{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A74-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.631{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.629{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.627{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.593{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.584{5C0BDE06-1A85-634D-6200-000000008502}32883376C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+20199b|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a72093|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.577{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\System.dllMD5=F020A8D9EDE1FB2AF3651AD6E0AC9CB1,SHA256=7EFE73A8D32ED1B01727AD4579E9EEC49C9309F2CB7BF03C8AFA80D70242D1C0,IMPHASH=FC0224E99E736751432961DB63A41B76truetrue 10341000x8000000000000000517172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.574{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000517171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.573{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\options.iniMD5=D5B270807BD5E8E117DB66010FD51AFA,SHA256=5A5E297948D13919E4432A5F7544DA14DE5ACCBE6D228F32162669148853EDF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.570{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\InstallOptions.dllMD5=170C17AC80215D0A377B42557252AE10,SHA256=61EA114D9D0CD1E884535095AA3527A6C28DF55A4ECEE733C8C398F50B84CC3D,IMPHASH=4B45B7E00344A87332FBD12653854D1Atruetrue 23542300x8000000000000000517169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.568{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\final.iniMD5=CAE757421DB8D011E41266BFD9439885,SHA256=FF350A68202AADB145F590C8579F9284D2E3C324B0369FDE39E5A3A31D7B8204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000517168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.564{5C0BDE06-1A85-634D-6300-000000008502}3320NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B04.tmpMD5=E885C9B9629ECE93849C22D33B660A41,SHA256=DFCC6C69907CCFB159D25532905C5C55CA8592FDF30E136E0C1F836467880769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000517167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.558{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.557{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.539{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.539{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.348{5C0BDE06-1A86-634D-6400-000000008502}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.2.5Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=6C9AC5FDD1CC3DE4B5CE3554BB97C44D,SHA256=0A50534D41D6E6CB8CF82D11B50318C26429D606EF43C9B9DC10C9098B87DE77,IMPHASH=B93C7B1A01AE4E8C3FA69FD9F2A758E7{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000517155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17DLL2022-10-17 09:04:06.526{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\System.dll2022-10-17 09:04:06.526 11241100x8000000000000000517154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17DLL2022-10-17 09:04:06.502{5C0BDE06-1A85-634D-6300-000000008502}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npcap-1.55-oem.exeC:\Windows\Temp\nsp4B05.tmp\InstallOptions.dll2022-10-17 09:04:06.502 10341000x8000000000000000517270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.775{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.772{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.772{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.383{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.375{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.372{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.371{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.370{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.370{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.125{5C0BDE06-1A87-634D-6500-000000008502}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.157{5C0BDE06-1A77-634D-0B00-000000008502}6481068C:\Windows\system32\lsass.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000517247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.794{5C0BDE06-1A85-634D-6200-000000008502}3288win-host-ctus-attack-range-170fe80::1d86:8688:3088:5b16;::ffff:10.0.1.15;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 22542200x8000000000000000517246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.463{5C0BDE06-1A79-634D-1600-000000008502}1220us-east-2.compute.internal1223-C:\Windows\System32\svchost.exe 22542200x8000000000000000517245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.462{5C0BDE06-1A79-634D-1600-000000008502}1220bfozjxnakhan1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000517244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.429{5C0BDE06-1A79-634D-1400-000000008502}1028wpad1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000517243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.429{5C0BDE06-1A79-634D-1600-000000008502}1220www.msftconnecttest.com1460-C:\Windows\System32\svchost.exe 22542200x8000000000000000517242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:05.375{5C0BDE06-1A79-634D-1600-000000008502}1220_ldap._tcp.dc._msdcs.us-east-2.compute.internal.1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000517294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.597{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.595{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.595{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-2100-000000008502}892C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.510{5C0BDE06-1A88-634D-6600-000000008502}34483452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.296{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.294{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.293{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.292{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.292{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.292{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.062{5C0BDE06-1A88-634D-6600-000000008502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.155{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.155{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A77-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.154{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 10341000x8000000000000000517271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.154{5C0BDE06-1A79-634D-1E00-000000008502}19402844C:\Program Files\Aurora-Agent\aurora-agent.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001318C3D0) 13241300x8000000000000000517312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-SetValue2022-10-17 09:04:09.484{5C0BDE06-1A79-634D-1500-000000008502}1036C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 22542200x8000000000000000517311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.155{5C0BDE06-1A79-634D-2100-000000008502}892WIN-HOST-CTUS-A0::ffff:10.0.1.15;C:\Windows\System32\svchost.exe 22542200x8000000000000000517310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.572{5C0BDE06-1A79-634D-1500-000000008502}1036isatap.us-east-2.compute.internal1460-C:\Windows\System32\svchost.exe 10341000x8000000000000000517309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.066{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:08.901{5C0BDE06-1A88-634D-6700-000000008502}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000517296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.335{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9800:89bc:fcc:ffff-53858-truee000:fc:fcc:ffff:357:d8aa:3f8:ffff-5355llmnr 354300x8000000000000000517295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:06.335{5C0BDE06-1A79-634D-1600-000000008502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:1d86:8688:3088:5b16win-host-ctus-attack-range-17.us-east-2.compute.internal53858-trueff02:0:0:0:0:0:1:3-5355llmnr 10341000x8000000000000000517354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.982{5C0BDE06-1A8A-634D-6A00-000000008502}35683572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.748{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.567{5C0BDE06-1A8A-634D-6A00-000000008502}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000517340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.576{5C0BDE06-1A77-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.343{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.343{5C0BDE06-1A7C-634D-3F00-000000008502}19083048C:\Windows\system32\conhost.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.342{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.341{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.339{5C0BDE06-1A77-634D-0500-000000008502}424440C:\Windows\system32\csrss.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.338{5C0BDE06-1A7B-634D-3C00-000000008502}30122992C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+64e3e 154100x8000000000000000517327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.331{5C0BDE06-1A8A-634D-6900-000000008502}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5C0BDE06-1A7B-634D-3C00-000000008502}3012C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 22542200x8000000000000000517326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:07.852{5C0BDE06-1A85-634D-6200-000000008502}3288win-host-ctus-attack-range-17010.0.1.15;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x8000000000000000517325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.007{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.005{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.005{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.005{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.004{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.003{5C0BDE06-1A77-634D-0500-000000008502}4241048C:\Windows\system32\csrss.exe{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:10.003{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000517313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:09.762{5C0BDE06-1A89-634D-6800-000000008502}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.2.5Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5C0BDE06-1A78-634D-E703-000000000000}0x3e70SystemMD5=93E4AABDB4C09791F34C1FB96FFB7B34,SHA256=E04D140844ABB2D8C81C9FDC12A1D731CAEE3025C5A723F0358E74A49232797E,IMPHASH=745B5ABFE8841B7D74AD07D845F0D330{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000745169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.710{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.694{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3400-000000008502}3124C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.646{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.631{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.591{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.590{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.589{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.588{A78D3DEB-1A89-634D-3000-000000008502}28322836C:\Program Files\Aurora-Agent\aurora-agent.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|C:\Program Files\Aurora-Agent\aurora-agent.exe+d4de30 10341000x8000000000000000745019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.580{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.549{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000745017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.549{A78D3DEB-1A79-634D-0A00-000000008502}6402528C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000745016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.834{A78D3DEB-1A89-634D-2A00-000000008502}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.2.5splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=E233074E423EF6D02DEAAC31BE8A5013,SHA256=640FF958BCC92F04097D22520797BAA18B7CDB196C7149AB8D73FF51179BC746,IMPHASH=4ECC46994D80B28878D10B74C732EB89{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000745015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000745000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.454{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.439{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.392{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.376{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.375{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.375{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.359{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.344{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.328{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.312{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.297{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.266{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.264{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.264{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.264{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.244{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:10.243{A78D3DEB-1A7C-634D-1600-000000008502}1236\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x8000000000000000744886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.243{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.228{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.227{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.212{A78D3DEB-1A8A-634D-3300-000000008502}2100C:\Windows\System32\vds.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F43B67F8FB870A731294662603690C2F,SHA256=9707255C9778F9A8135BAA4F1A16FAC9EBF2991FD6AF937B232D5FA52D14AC33,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.214{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.214{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.213{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.213{A78D3DEB-1A79-634D-0A00-000000008502}640708C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.921{A78D3DEB-1A89-634D-3000-000000008502}2832C:\Program Files\Aurora-Agent\aurora-agent.exe1.0.7Aurora AgentAurora AgentNextron Systemsaurora-agent.exe"C:\Program Files\Aurora-Agent\aurora-agent.exe" --service --config "C:\Program Files\Aurora-Agent\agent-config.yml"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=49DECA39E47E2CE4763AE97A807DD163,SHA256=3E6E4FB3B2A2C093D0C235736A7C31CD7EBE3EF9D15BE0602FC8CBBCAF0DA3D0,IMPHASH=6E0C98C468B7CCA0B81F6A50A530DE09{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.206{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.192{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.176{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.174{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.174{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.173{A78D3DEB-1A8A-634D-3200-000000008502}2124C:\Windows\System32\vdsldr.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=B344B812DD6C294360563E52B2EF1C13,SHA256=0A4CA31848D7513F97F72D0292F5BBEE1CA409AAFFCACDE5369E12003B34118D,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000744865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.164{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.149{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.076{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.076{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.854{A78D3DEB-1A89-634D-2E00-000000008502}2700C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=C54EE7993912F12A990D27C9BF8894C8,SHA256=AC1B7CBE413C5246B9A681CB975FF231204A740800A5555833B3E62952683157,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.060{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.029{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.029{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.035{A78D3DEB-1A8A-634D-3100-000000008502}3036C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000744856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:10.013{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.982{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.982{A78D3DEB-1A79-634D-0A00-000000008502}640724C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.982{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A7C-634D-1200-000000008502}4482216C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000744851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:09.967{A78D3DEB-1A89-634D-2F00-000000008502}2812\netdfsC:\Windows\system32\dfssvc.exe 10341000x8000000000000000744848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.967{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.951{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.920{A78D3DEB-1A79-634D-0A00-000000008502}640356C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.828{A78D3DEB-1A89-634D-2800-000000008502}2600C:\Windows\System32\dfsrs.exe10.0.14393.4169 (rs1_release.210107-1130)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F2483716D6C752FB448C7295AA3B49A1,SHA256=6B77249159D3C217694B52F0B1C75E0649486EF4A3FE4513CD41D81E7DEB709A,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 154100x8000000000000000744837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.902{A78D3DEB-1A89-634D-2F00-000000008502}2812C:\Windows\System32\dfssvc.exe10.0.14393.4825 (rs1_release.211202-1611)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=D1EFE6799897721D4FA45438D8215321,SHA256=8897D358D289BE6CE7D67922E5A713A997A5317C74C44935C212898AE498F516,IMPHASH=C8B32AEEF22A97D88BD68D70385A1B30{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.904{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.904{A78D3DEB-1A79-634D-0A00-000000008502}6402536C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.844{A78D3DEB-1A89-634D-2B00-000000008502}2648C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0A00-000000008502}640724C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.847{A78D3DEB-1A89-634D-2D00-000000008502}2672C:\Windows\System32\dns.exe10.0.14393.5356 (rs1_release.220906-1211)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=8E57D858F7ECCAAEB80D348BD4C14434,SHA256=830DB8427582E91CB6A903D695F5D49CF6168470A8FDF3B886BED8940D4F39AB,IMPHASH=A9372A5933F0A34E60D75696B5C69952{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.888{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.857{A78D3DEB-1A79-634D-0A00-000000008502}640372C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:09.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000744820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:09.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000744819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.857{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0A00-000000008502}640384C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0A00-000000008502}6402544C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2C00-000000008502}2664C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.841{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.828{A78D3DEB-1A89-634D-2900-000000008502}2608C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.826{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.816{A78D3DEB-1A89-634D-2700-000000008502}2572C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0A00-000000008502}6402540C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.810{A78D3DEB-1A79-634D-0A00-000000008502}640732C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.813{A78D3DEB-1A89-634D-2600-000000008502}2564C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:09.795{A78D3DEB-1A89-634D-2500-000000008502}2488\Winsock2\CatalogChangeListener-9b8-0C:\Windows\System32\spoolsv.exe 10341000x8000000000000000744773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.795{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.763{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.748{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.748{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.739{A78D3DEB-1A89-634D-2500-000000008502}2488C:\Windows\System32\spoolsv.exe10.0.14393.5356 (rs1_release.220906-1211)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=48B18DEA6BDDC1A22AD9EF16CE63A0A4,SHA256=E295AE0FC0EE67320590D8A49BC16054ACCB6E7BAF05DB531D10B0D6DB81A21C,IMPHASH=BDE05BF1A813EB07FFA212837CB0F528{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.732{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:09.685{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:07.232{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:07.232{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:06.560{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.716{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.701{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:05.611{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x8000000000000000744742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:04:05.611{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x8000000000000000744741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.611{A78D3DEB-1A79-634D-0B00-000000008502}648688C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.611{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.583{A78D3DEB-1A85-634D-2300-000000008502}2344C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:05.576{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0D00-000000008502}908\RpcProxy\593C:\Windows\system32\svchost.exe 13241300x8000000000000000744730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:05.576{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 17141700x8000000000000000744729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:05.560{A78D3DEB-1A79-634D-0B00-000000008502}648\5f2963b50b66aa0fC:\Windows\system32\lsass.exe 17141700x8000000000000000744728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:04:05.560{A78D3DEB-1A79-634D-0B00-000000008502}648\RpcProxy\49669C:\Windows\system32\lsass.exe 10341000x8000000000000000744727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:04.513{A78D3DEB-1A7C-634D-1200-000000008502}4481048C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000744726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:04.498{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000000) 13241300x8000000000000000744724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000744723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000744722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\FlagsDWORD (0x00000000) 13241300x8000000000000000744721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\TtlDWORD (0x000004b0) 13241300x8000000000000000744720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentPriUpdateToIpBinary Data 13241300x8000000000000000744719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\SentUpdateToIpBinary Data 13241300x8000000000000000744718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\DnsServersBinary Data 13241300x8000000000000000744717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\HostAddrsBinary Data 13241300x8000000000000000744716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\PrimaryDomainNameattackrange.local 13241300x8000000000000000744715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\AdapterDomainName(Empty) 13241300x8000000000000000744714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:03.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\Hostnamewin-dc-ctus-attack-range-801 10341000x8000000000000000744713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:04:02.357{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:04:00.341{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000558) 10341000x8000000000000000744700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.841{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.701{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 10341000x8000000000000000744687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.357{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.341{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{cdbf2ad9-d9df-495a-8b70-d479c6e12b96}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x8000000000000000744677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.341{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{cdbf2ad9-d9df-495a-8b70-d479c6e12b96}\LastProbeTimeDWORD (0x634d1a7f) 13241300x8000000000000000744676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.341{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{CDBF2AD9-D9DF-495A-8B70-D479C6E12B96}\DateLastConnectedBinary Data 10341000x8000000000000000744675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:59.341{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:59.248{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000744669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.388{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000557) 13241300x8000000000000000744668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x8000000000000000744667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardwareBinary Data 12241200x8000000000000000744666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardwareCount 12241200x8000000000000000744665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:58.201{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpGatewayHardware 13241300x8000000000000000744664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.185{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000744663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.185{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\RegisteredSinceBootDWORD (0x00000000) 13241300x8000000000000000744662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:58.185{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{AF31B317-3A21-4F0E-AF8D-DF03B82FA994}\StaleAdapterDWORD (0x00000000) 10341000x8000000000000000744661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.404{A78D3DEB-1A7D-634D-2200-000000008502}22322252C:\Windows\system32\conhost.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A7D-634D-2200-000000008502}2232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7C-634D-1600-000000008502}12361596C:\Windows\system32\svchost.exe{A78D3DEB-1A7D-634D-2100-000000008502}2224C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{A78D3DEB-1A7D-634D-2000-000000008502}2208C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.388{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7D-634D-2000-000000008502}2208C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{00000000-0000-0000-0000-000000000000}21962200C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2208C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.386{A78D3DEB-1A7D-634D-2000-000000008502}2208C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{A78D3DEB-1A7D-634D-1F00-000000008502}2196C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c sc.exe qc npcap 10341000x8000000000000000744651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.373{A78D3DEB-1A7C-634D-1800-000000008502}19801984C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.379{A78D3DEB-1A7D-634D-1F00-000000008502}2196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c sc.exe qc npcapC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A7C-634D-1800-000000008502}1980C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 10341000x8000000000000000744647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2172C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2172C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A7D-634D-1C00-000000008502}21482152C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2172C:\Windows\system32\find.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.329{A78D3DEB-1A7D-634D-1E00-000000008502}2172C:\Windows\System32\find.exe10.0.14393.0 (rs1_release.160715-1616)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXEfind "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=1E16116CCE7317C0E87559DA23A4EAD3,SHA256=40C0EC6D7371D316BC1F0ABE80D0236F613C9FB88DCE2D9B5D5FD4A1A59E8B49,IMPHASH=8227B3EA21F13E06E81C9AA2636A858A{A78D3DEB-1A7D-634D-1C00-000000008502}2148C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000744643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.326{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{A78D3DEB-1A7D-634D-1D00-000000008502}2160C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2160C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{00000000-0000-0000-0000-000000000000}21482152C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}2160C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.307{A78D3DEB-1A7D-634D-1D00-000000008502}2160C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg query "HKLM\Software\WOW6432Node\Npcap" /ve C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{A78D3DEB-1A7D-634D-1C00-000000008502}2148C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ" 10341000x8000000000000000744639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.295{A78D3DEB-1A7C-634D-1800-000000008502}19801984C:\Windows\SYSTEM32\cmd.exe{00000000-0000-0000-0000-000000000000}2148C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\SYSTEM32\cmd.exe+103c4|C:\Windows\SYSTEM32\cmd.exe+10910|C:\Windows\SYSTEM32\cmd.exe+c36d|C:\Windows\SYSTEM32\cmd.exe+8ad9|C:\Windows\SYSTEM32\cmd.exe+6fdd|C:\Windows\SYSTEM32\cmd.exe+11a9e|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.299{A78D3DEB-1A7D-634D-1C00-000000008502}2148C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c reg query "HKLM\Software\WOW6432Node\Npcap" /ve 2>nul | find "REG_SZ"C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{A78D3DEB-1A7C-634D-1800-000000008502}1980C:\Windows\System32\cmd.exeC:\Windows\SYSTEM32\cmd.exe /c "C:\Program Files\Npcap\CheckStatus.bat" 10341000x8000000000000000744635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.029{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:57.029{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000744631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.951{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.951{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.951{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x8000000000000000744626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1600-000000008502}12361792C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c54) 10341000x8000000000000000744622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.935{A78D3DEB-1A7C-634D-1A00-000000008502}2016992C:\Windows\system32\conhost.exe{A78D3DEB-1A7C-634D-1800-000000008502}1980C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.920{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.920{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.920{A78D3DEB-1A7C-634D-1200-000000008502}4481532C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.904{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.904{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x8000000000000000744605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000744604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000744602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2022-10-17 09:03:56.888 10341000x8000000000000000744601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.888{A78D3DEB-1A79-634D-0500-000000008502}4161776C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A79-634D-0A00-000000008502}640104C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1B00-000000008502}1212C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.873{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000c53) 10341000x8000000000000000744597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.873{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.857{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x8000000000000000744594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.826{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1A00-000000008502}2016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.810{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.795{A78D3DEB-1A7C-634D-1200-000000008502}4481580C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+39768|C:\Windows\System32\combase.dll+3755d|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000744590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.779{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.779{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+20dea|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.732{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1980C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.732{A78D3DEB-1A7C-634D-1600-000000008502}12361784C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}1980C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.716{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.685{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.670{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.654{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.638{A78D3DEB-1A7C-634D-1600-000000008502}1236\Winsock2\CatalogChangeListener-4d4-0C:\Windows\system32\svchost.exe 17141700x8000000000000000744563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.638{A78D3DEB-1A7C-634D-1600-000000008502}1236\SessEnvPublicRpcC:\Windows\system32\svchost.exe 10341000x8000000000000000744562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.638{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.591{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.591{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.591{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000744558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.localT10532022-10-17 09:03:56.513{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x8000000000000000744557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.513{A78D3DEB-1A7C-634D-1600-000000008502}1236\atsvcC:\Windows\system32\svchost.exe 10341000x8000000000000000744553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.513{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.482{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x8000000000000000744550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.451{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.451{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000744548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.435{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x00000285) 10341000x8000000000000000744547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.435{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.435{A78D3DEB-1A7C-634D-0F00-000000008502}300\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x8000000000000000744545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.435{A78D3DEB-1A7C-634D-0F00-000000008502}300\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x8000000000000000744544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648\Winsock2\CatalogChangeListener-288-1C:\Windows\system32\lsass.exe 10341000x8000000000000000744541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.420{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648\Winsock2\CatalogChangeListener-288-0C:\Windows\system32\lsass.exe 10341000x8000000000000000744539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.404{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x8000000000000000744536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.404{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000744535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.404{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x8000000000000000744531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x8000000000000000744530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x8000000000000000744529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 10341000x8000000000000000744527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x8000000000000000744525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.373{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x8000000000000000744524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.373{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.357{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x8000000000000000744513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.357{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.310{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.295{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.295{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.295{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.279{A78D3DEB-1A79-634D-0A00-000000008502}640356C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1700-000000008502}1376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x8000000000000000744485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.263{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000744479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.263{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x8000000000000000744473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.248{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.248{A78D3DEB-1A7C-634D-1100-000000008502}380\Winsock2\CatalogChangeListener-17c-0C:\Windows\System32\svchost.exe 17141700x8000000000000000744468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:56.248{A78D3DEB-1A7C-634D-1100-000000008502}380\eventlogC:\Windows\System32\svchost.exe 10341000x8000000000000000744467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.232{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1600-000000008502}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.216{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1500-000000008502}1184C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.201{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.185{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.185{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 13241300x8000000000000000744438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000744437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000744436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000744435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseTerminatesTimeDWORD (0x634d288c) 13241300x8000000000000000744434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T2DWORD (0x634d26ca) 13241300x8000000000000000744433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T1DWORD (0x634d2184) 13241300x8000000000000000744432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseObtainedTimeDWORD (0x634d1a7c) 13241300x8000000000000000744431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseDWORD (0x00000e10) 13241300x8000000000000000744430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpServer10.0.1.1 13241300x8000000000000000744429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000744428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpIPAddress10.0.1.14 13241300x8000000000000000744427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpInterfaceOptionsBinary Data 13241300x8000000000000000744426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMaskOptBinary Data 13241300x8000000000000000744425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDefaultGatewayBinary Data 13241300x8000000000000000744424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpNameServer10.0.0.2 13241300x8000000000000000744423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000744422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x8000000000000000744421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDomainus-east-2.compute.internal 13241300x8000000000000000744420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomainus-east-2.compute.internal 13241300x8000000000000000744419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000744418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x8000000000000000744417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000744416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000744415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000744414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x8000000000000000744413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T2DWORD (0x00000000) 13241300x8000000000000000744412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\T1DWORD (0x00000000) 13241300x8000000000000000744411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseObtainedTimeDWORD (0x00000000) 13241300x8000000000000000744410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\LeaseDWORD (0x00000000) 13241300x8000000000000000744409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpServer255.255.255.255 13241300x8000000000000000744408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMask255.0.0.0 13241300x8000000000000000744407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpIPAddress0.0.0.0 12241200x8000000000000000744406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpInterfaceOptions 13241300x8000000000000000744405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.154{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\Dhcpv6StateDWORD (0x00000001) 12241200x8000000000000000744404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDefaultGateway 12241200x8000000000000000744403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpSubnetMaskOpt 12241200x8000000000000000744402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpDomain 12241200x8000000000000000744401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x8000000000000000744400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\DhcpNameServer 12241200x8000000000000000744399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x8000000000000000744398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.138{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{af31b317-3a21-4f0e-af8d-df03b82fa994}\Dhcpv6StateDWORD (0x00000000) 10341000x8000000000000000744397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.138{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.138{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.123{A78D3DEB-1A79-634D-0A00-000000008502}640372C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.123{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:56.123{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x8000000000000000744392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0A00-000000008502}640104C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1400-000000008502}1072C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7C-634D-0E00-000000008502}10041060C:\Windows\system32\LogonUI.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.107{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0A00-000000008502}640776C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0A00-000000008502}640384C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A79-634D-0A00-000000008502}640384C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.076{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0800-000000008502}508524C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0900-000000008502}584992C:\Windows\system32\winlogon.exe{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.070{A78D3DEB-1A7C-634D-1300-000000008502}420C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{A78D3DEB-1A7C-634D-98C0-000000000000}0xc0981SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000744369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0A00-000000008502}6401020C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.069{A78D3DEB-1A7C-634D-1200-000000008502}448C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{A78D3DEB-1A7C-634D-E503-000000000000}0x3e50SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0A00-000000008502}640108C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1100-000000008502}380C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0A00-000000008502}640372C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-1000-000000008502}8C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1d27e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1b736|C:\Windows\system32\lsasrv.dll+1cce5|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.060{A78D3DEB-1A79-634D-0B00-000000008502}648772C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A79-634D-0A00-000000008502}640356C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.045{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0500-000000008502}416544C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0A00-000000008502}640728C:\Windows\system32\services.exe{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.037{A78D3DEB-1A7C-634D-0F00-000000008502}300C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{A78D3DEB-1A7B-634D-E403-000000000000}0x3e40SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852308C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852288C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648812C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A7B-634D-0C00-000000008502}852100C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.029{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0800-000000008502}508604C:\Windows\system32\csrss.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0900-000000008502}584588C:\Windows\system32\winlogon.exe{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.019{A78D3DEB-1A7C-634D-0E00-000000008502}1004C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b87055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000744335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A7B-634D-0C00-000000008502}852960C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:56.013{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852884C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852884C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852884C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852956C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.935{A78D3DEB-1A7B-634D-0C00-000000008502}852\LSM_API_serviceC:\Windows\system32\svchost.exe 10341000x8000000000000000744325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea9f|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A7B-634D-0C00-000000008502}852948C:\Windows\system32\svchost.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.920{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000744318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:55.888{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000744317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:55.888{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x8000000000000000744316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:55.888{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x8000000000000000744315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.858{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.858{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.858{A78D3DEB-1A79-634D-0700-000000008502}500\Winsock2\CatalogChangeListener-1f4-0C:\Windows\system32\wininit.exe 17141700x8000000000000000744312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.858{A78D3DEB-1A7B-634D-0D00-000000008502}908\epmapperC:\Windows\system32\svchost.exe 10341000x8000000000000000744311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.858{A78D3DEB-1A7B-634D-0C00-000000008502}852880C:\Windows\system32\svchost.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46838|c:\windows\system32\rpcss.dll+7593|c:\windows\system32\rpcss.dll+74fe|C:\Windows\System32\RPCRT4.dll+33c24|C:\Windows\System32\RPCRT4.dll+21580|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:55.841{A78D3DEB-1A7B-634D-0D00-000000008502}908\Winsock2\CatalogChangeListener-38c-0C:\Windows\system32\svchost.exe 10341000x8000000000000000744309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.841{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.841{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.841{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.826{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.826{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.810{A78D3DEB-1A79-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0D00-000000008502}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.795{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.795{A78D3DEB-1A79-634D-0B00-000000008502}648848C:\Windows\system32\lsass.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.763{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.623{A78D3DEB-1A79-634D-0A00-000000008502}640716C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.607{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.607{A78D3DEB-1A79-634D-0A00-000000008502}640644C:\Windows\system32\services.exe{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.611{A78D3DEB-1A7B-634D-0C00-000000008502}852C:\Windows\System32\svchost.exe10.0.14393.5006 (rs1_release.220301-1704)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=50737ECC79BD2F6429781DC7B4C3DC20,SHA256=71C4616890F03244C3737DEF2FA1E804A0EB86004C3D8B0817BEFC2A0C21BB7F,IMPHASH=9C33C8C3DCCAC65606FE5A9180D15924{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000744295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:55.591{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000744294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:54.966{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x00002fb4) 10341000x8000000000000000744293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0A00-000000008502}640\scerpcC:\Windows\system32\services.exe 10341000x8000000000000000744289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26eea|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:54.326{A78D3DEB-1A79-634D-0B00-000000008502}648696C:\Windows\system32\lsass.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000744287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:54.310{A78D3DEB-1A79-634D-0A00-000000008502}640\ntsvcsC:\Windows\system32\services.exe 10341000x8000000000000000744286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.935{A78D3DEB-1A79-634D-0B00-000000008502}648652C:\Windows\system32\lsass.exe{A78D3DEB-1A73-634D-0100-000000008502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+5ac9c|C:\Windows\system32\lsasrv.dll+63e8f|C:\Windows\system32\lsasrv.dll+6f44e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+46b8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.795{A78D3DEB-1A79-634D-0700-000000008502}500504C:\Windows\system32\wininit.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000744284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.795{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.795{A78D3DEB-1A79-634D-0700-000000008502}500504C:\Windows\system32\wininit.exe{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.804{A78D3DEB-1A79-634D-0B00-000000008502}648C:\Windows\System32\lsass.exe10.0.14393.4704 (rs1_release.211004-1917)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000744281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.748{A78D3DEB-1A79-634D-0500-000000008502}416432C:\Windows\system32\csrss.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.748{A78D3DEB-1A79-634D-0700-000000008502}500504C:\Windows\system32\wininit.exe{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000744279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.747{A78D3DEB-1A79-634D-0A00-000000008502}640C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\System32\wininit.exewininit.exe 17141700x8000000000000000744278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-CreatePipe2022-10-17 09:03:53.732{A78D3DEB-1A79-634D-0700-000000008502}500\InitShutdownC:\Windows\system32\wininit.exe 10341000x8000000000000000744277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.607{A78D3DEB-1A79-634D-0600-000000008502}492496C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.599{A78D3DEB-1A79-634D-0900-000000008502}584C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000744275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.592{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000744274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.560{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x8000000000000000744273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.560{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-ctus-attack-range-801 10341000x8000000000000000744272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.560{A78D3DEB-1A79-634D-0400-000000008502}408412C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.554{A78D3DEB-1A79-634D-0700-000000008502}500C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{A78D3DEB-1A79-634D-0400-000000008502}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c 10341000x8000000000000000744270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A79-634D-0600-000000008502}492496C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.557{A78D3DEB-1A79-634D-0800-000000008502}508C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c 10341000x8000000000000000744268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.551{A78D3DEB-1A79-634D-0600-000000008502}492C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000744265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.545{A78D3DEB-1A73-634D-0200-000000008502}320332C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x8000000000000000744264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x616de25a) 13241300x8000000000000000744263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x8000000000000000744262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x8000000000000000744261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:53.466{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x8000000000000000744258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.404{A78D3DEB-1A79-634D-0400-000000008502}408412C:\Windows\System32\smss.exe{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.406{A78D3DEB-1A79-634D-0500-000000008502}416C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{A78D3DEB-1A79-634D-0400-000000008502}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c 10341000x8000000000000000744256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.279{A78D3DEB-1A73-634D-0200-000000008502}320404C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cd4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d401|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000744255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.279{A78D3DEB-1A73-634D-0200-000000008502}320404C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:53.282{A78D3DEB-1A79-634D-0400-000000008502}408C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000e0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000744253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.748{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x8000000000000000744252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:50.732{A78D3DEB-1A73-634D-0200-000000008502}320324C:\Windows\System32\smss.exe{A78D3DEB-1A76-634D-0300-000000008502}356C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\SYSTEM32\ntdll.dll+8c64e|C:\Windows\SYSTEM32\ntdll.dll+8c3f9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5179f 154100x8000000000000000744251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-2022-10-17 09:03:50.725{A78D3DEB-1A76-634D-0300-000000008502}356C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{A78D3DEB-1A79-634D-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{A78D3DEB-1A73-634D-0200-000000008502}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000744250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000744247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000744243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:50.716{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x8000000000000000744241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x8000000000000000744238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e51904a) 13241300x8000000000000000744236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e51904a) 13241300x8000000000000000744235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e51904a) 13241300x8000000000000000744234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x8000000000000000744233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x8000000000000000744232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.248{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x8000000000000000744231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-DeleteValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x8000000000000000744230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x8000000000000000744229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e3294f0) 13241300x8000000000000000744228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:48.045{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d8e207-0x5e3294f0) 13241300x8000000000000000744227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000744224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.998{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x8000000000000000744222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.966{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x8000000000000000744221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.904{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x8000000000000000744220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.904{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x8000000000000000744219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.904{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x8000000000000000744218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000744216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x8000000000000000744215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.873{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMinorVersionDWORD (0x00000037) 13241300x8000000000000000744213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\DriverMajorVersionDWORD (0x00000001) 13241300x8000000000000000744212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMinorVersionDWORD (0x00000032) 13241300x8000000000000000744211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\npcap\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x8000000000000000744209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x8000000000000000744208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x8000000000000000744207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.857{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x8000000000000000744206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.701{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x8000000000000000744205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{0d7110ed-3f2e-11ed-abb2-806e6f6e6963}#0000000000100000 13241300x8000000000000000744202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000744201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x8000000000000000744200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local-SetValue2022-10-17 09:03:47.170{A78D3DEB-1A73-634D-0100-000000008502}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{0d7110ed-3f2e-11ed-abb2-806e6f6e6963}#0000000000100000 434400x8000000000000000744199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-801.attackrange.local2022-10-17 09:04:10.176Started13.014.50 10341000x8000000000000000517369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.770{5C0BDE06-1A8B-634D-6B00-000000008502}36083612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5C0BDE06-1A79-634D-1F00-000000008502}1968C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.449{5C0BDE06-1A7B-634D-2E00-000000008502}29322952C:\Windows\system32\conhost.exe{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.446{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.446{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.444{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A78-634D-0C00-000000008502}744956C:\Windows\system32\svchost.exe{5C0BDE06-1A79-634D-1D00-000000008502}1896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000517358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A77-634D-0500-000000008502}424548C:\Windows\system32\csrss.exe{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000517357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-17-2022-10-17 09:04:11.443{5C0BDE06-1A79-634D-1F00-000000008502}19683168C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5C0BDE06-1A8B-634D-6B00-000000008502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversal