734700x8000000000000000919576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\mprapi.dll10.0.14393.206 (rs1_release.160915-0644)Windows NT MP Router Administration DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmprapi.dllMD5=DD9328C2025498C73EF628F050C12F27,SHA256=AD427661F0AB7A37ECF6CA203DA1EB472B065AECC1BF9AAF06419E9707C7BFFEtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919549Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919522Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=B07D32F44DFADC6EB9BBAFA1783B8468,SHA256=C412A22F84E06BA8B13BC53BBA263F066C0152261198FA74D6C3D7D18BB470E9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919495Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\rasdlg.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access Common Dialog APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlg.dllMD5=5340A941E97CFAC0CD565CEB9E7314CA,SHA256=381D996EB0E322D52D1ADBF2FAE12F032A12731DC2117D6409696904C4ABF6F8trueMicrosoft WindowsValidATTACKRANGE\Administrator 534500x8000000000000000919470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeATTACKRANGE\Administrator 734700x8000000000000000919467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=4AD563CA721F138B52B98887B7A6F484,SHA256=054C99FD96437F0C40F8B9A6342DC80006D3509D024A9591BEBA0DD314C9FCB5trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\rtutils.dll10.0.14393.4825 (rs1_release.211202-1611)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=BFEECEC703F03897BA21957955666CED,SHA256=C0D7519D2FBA16043809C939A497609FD23DC4A195EE00336584F021B915D92BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.038{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\combase.dll10.0.14393.4946 (rs1_release.220131-0721)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=CF55818FEC021F7091D80130839F424A,SHA256=78F41233D06EA33435EC6E830A1DEC757146DC85D2C92F62C425B8F5D1843DFFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=1223B41C4E7FF5638F168B51A08B8D19,SHA256=8B3F788B7DAB5C92150CCE73BB8D78E22359B457B025B1F17394AAE40CBC2918trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=8634E667D69FFD4CFC0A419A3199B619,SHA256=E87E08EB14BA4D49355BC49ED0DD79E2009528B88FA32B84F14F793064C488A0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.007{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exeMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x8000000000000000919404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.023{A5C32FFB-DF04-620B-8F27-000000003702}71726984C:\Windows\system32\conhost.exe{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x8000000000000000919397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.007{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=50FFF94E9C5357E2BE8356B52BD60D6F,SHA256=D6682E50A47E5721F112BE8BFABEB819F2554FDC7F0D2EBFAC4BC13D5B7DC883trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.007{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x8000000000000000919393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.007{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x8000000000000000919391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.007{A5C32FFB-AB44-620A-B400-000000003702}31605032C:\Windows\system32\csrss.exe{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x8000000000000000919388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:37.007{A5C32FFB-B79D-620A-1F03-000000003702}62048740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x8000000000000000919387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-15 17:12:36.991{A5C32FFB-DF04-620B-9027-000000003702}1768C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exe"C:\Windows\system32\rasautou.exe" -d C:\temp\duedlligence.dll -p powershell –a a –e eC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47{A5C32FFB-B79D-620A-1F03-000000003702}6204C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" ATTACKRANGE\Administrator 10341000x8000000000000000191137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:59.934{A5C32FFB-B2D1-620A-7D02-000000003702}90727352C:\Windows\system32\conhost.exe{A5C32FFB-B2DF-620A-8102-000000003702}8660C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:59.934{A5C32FFB-AB44-620A-B400-000000003702}3160364C:\Windows\system32\csrss.exe{A5C32FFB-B2DF-620A-8102-000000003702}8660C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:59.918{A5C32FFB-B2D2-620A-7E02-000000003702}75644616C:\Windows\system32\cmd.exe{A5C32FFB-B2DF-620A-8102-000000003702}8660C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:59.933{A5C32FFB-B2DF-620A-8102-000000003702}8660C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exerasautou -d C:\users\Administrator\Desktop\duedllgence.dll -p powershell -a a -e eC:\Users\Administrator\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B2D2-620A-7E02-000000003702}7564C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*" 10341000x8000000000000000191129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:59.918{A5C32FFB-A9E5-620A-1200-000000003702}4845392C:\Windows\System32\svchost.exe{A5C32FFB-B2DF-620A-8102-000000003702}8660C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:47.553{A5C32FFB-B2D1-620A-7D02-000000003702}90727352C:\Windows\system32\conhost.exe{A5C32FFB-B2D3-620A-8002-000000003702}7612C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:47.553{A5C32FFB-AB44-620A-B400-000000003702}31607804C:\Windows\system32\csrss.exe{A5C32FFB-B2D3-620A-8002-000000003702}7612C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:47.553{A5C32FFB-B2D2-620A-7E02-000000003702}75644616C:\Windows\system32\cmd.exe{A5C32FFB-B2D3-620A-8002-000000003702}7612C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:47.562{A5C32FFB-B2D3-620A-8002-000000003702}7612C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exerasautou -d C:\users\Administrator\Desktop\duedllgence.cpl -p powershell -a a -e eC:\Users\Administrator\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B2D2-620A-7E02-000000003702}7564C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /K "doskey git=^"C:\Program Files\Git\cmd\git.exe^" $*" 10341000x8000000000000000191091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:47.553{A5C32FFB-A9E5-620A-1200-000000003702}4845392C:\Windows\System32\svchost.exe{A5C32FFB-B2D3-620A-8002-000000003702}7612C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:35.886{A5C32FFB-A9E5-620A-1400-000000003702}10641380C:\Windows\system32\svchost.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\tapisrv.dll+28e2e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:35.886{A5C32FFB-A9E3-620A-0B00-000000003702}6362444C:\Windows\system32\lsass.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:35.886{A5C32FFB-A9E3-620A-0B00-000000003702}6362444C:\Windows\system32\lsass.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:34.849{A5C32FFB-A9E5-620A-1600-000000003702}1280368C:\Windows\system32\svchost.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:34.849{A5C32FFB-A9E5-620A-1600-000000003702}12801324C:\Windows\system32\svchost.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:34.802{A5C32FFB-B082-620A-B101-000000003702}60603848C:\Windows\system32\conhost.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:34.802{A5C32FFB-AB44-620A-B400-000000003702}31605032C:\Windows\system32\csrss.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:34.802{A5C32FFB-B082-620A-B001-000000003702}83208252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38ba0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+37fe002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38043a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3801665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38008363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380078d5(wow64) 154100x8000000000000000190822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:51:34.808{A5C32FFB-B2C6-620A-7902-000000003702}9088C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exe"C:\Windows\system32\rasautou.exe" –d C:\users\Administrator\Desktop\duedllgence.cpl –p powershell –a a –e eC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B082-620A-B001-000000003702}8320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000189684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:10.562{A5C32FFB-B082-620A-B101-000000003702}60603848C:\Windows\system32\conhost.exe{A5C32FFB-B1FA-620A-4402-000000003702}7916C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:10.547{A5C32FFB-AB44-620A-B400-000000003702}3160364C:\Windows\system32\csrss.exe{A5C32FFB-B1FA-620A-4402-000000003702}7916C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:10.547{A5C32FFB-B082-620A-B001-000000003702}83208252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A5C32FFB-B1FA-620A-4402-000000003702}7916C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38ba0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+37fe002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38043a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3801665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38008363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380078d5(wow64) 154100x8000000000000000189677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:10.549{A5C32FFB-B1FA-620A-4402-000000003702}7916C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exe"C:\Windows\system32\rasautou.exe" -d C:\users\Administrator\Desktop\duedllgence.dll -p powershell –a a –e eC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B082-620A-B001-000000003702}8320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000189635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:06.664{A5C32FFB-B082-620A-B101-000000003702}60603848C:\Windows\system32\conhost.exe{A5C32FFB-B1F6-620A-4302-000000003702}5560C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:06.664{A5C32FFB-AB44-620A-B400-000000003702}31602360C:\Windows\system32\csrss.exe{A5C32FFB-B1F6-620A-4302-000000003702}5560C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:06.664{A5C32FFB-B082-620A-B001-000000003702}83208252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A5C32FFB-B1F6-620A-4302-000000003702}5560C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38ba0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+37fe002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38043a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3801665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38008363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380078d5(wow64) 154100x8000000000000000189628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:48:06.668{A5C32FFB-B1F6-620A-4302-000000003702}5560C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exe"C:\Windows\system32\rasautou.exe" -d C:\users\Administrator\Desktop\duedllgence.dll -p powershell –a a –e eC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B082-620A-B001-000000003702}8320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000189581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:32.733{A5C32FFB-B082-620A-B101-000000003702}60603848C:\Windows\system32\conhost.exe{A5C32FFB-B1D4-620A-4202-000000003702}708C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:32.733{A5C32FFB-AB44-620A-B400-000000003702}31602360C:\Windows\system32\csrss.exe{A5C32FFB-B1D4-620A-4202-000000003702}708C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:32.733{A5C32FFB-B082-620A-B001-000000003702}83208252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A5C32FFB-B1D4-620A-4202-000000003702}708C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38ba0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+37fe002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38043a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3801665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38008363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380078d5(wow64) 154100x8000000000000000189574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:32.743{A5C32FFB-B1D4-620A-4202-000000003702}708C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exe"C:\Windows\system32\rasautou.exe" -hC:\Users\Administrator\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B082-620A-B001-000000003702}8320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000189567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:29.587{A5C32FFB-B082-620A-B101-000000003702}60603848C:\Windows\system32\conhost.exe{A5C32FFB-B1D1-620A-4102-000000003702}5892C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:29.581{A5C32FFB-AB44-620A-B400-000000003702}31607804C:\Windows\system32\csrss.exe{A5C32FFB-B1D1-620A-4102-000000003702}5892C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:29.580{A5C32FFB-B082-620A-B001-000000003702}83208252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{A5C32FFB-B1D1-620A-4102-000000003702}5892C:\Windows\system32\rasautou.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\522db9cf6340db20d9ce58752dffc3b3\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38ba0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+37fe002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38043a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38025aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3801665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38023710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+3802347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380230b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38aeb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+38008363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\96987e763a622d1cc421caa92e1c80c9\System.Management.Automation.ni.dll+380078d5(wow64) 154100x8000000000000000189560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-331.attackrange.local-2022-02-14 19:47:29.579{A5C32FFB-B1D1-620A-4102-000000003702}5892C:\Windows\System32\rasautou.exe10.0.14393.0 (rs1_release.160715-1616)Remote Access DialerMicrosoft® Windows® Operating SystemMicrosoft Corporationrasdlui.exe"C:\Windows\system32\rasautou.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{A5C32FFB-AB46-620A-A913-0B0000000000}0xb13a92HighMD5=C75AB414BCEEC65F5D0A19B24A77B878,SHA256=049A173C36F34089B4D427FA10AE3875B6AB49577C891565C2C5E5EE5C6EFD47,IMPHASH=4DEB6099029EF388A82C081F043FC641{A5C32FFB-B082-620A-B001-000000003702}8320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"