11/21/2024 06:09:20 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=100 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 7943) 11/21/2024 06:09:20 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=99 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_TCP: An error was encountered when transitioning from TcpStateFrontAuth to TcpStateFailure in response to TcpEventFrontAuthFailed (error code 0x0). 11/21/2024 06:09:20 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=98 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 06:09:20 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=97 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = xfgMkwcAM0KhdIzwhd7voNDARK9OJvYNcGkP/WU3ZLc=- 11/21/2024 06:09:18 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=96 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 06:09:16 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=95 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 06:09:13 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=94 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 06:09:13 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=93 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 06:09:01 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=92 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 06:08:40 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=91 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 06:07:40 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=90 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 06:07:40 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=89 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 06:07:40 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=88 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 06:07:34 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=87 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 06:07:32 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=86 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 06:06:01 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=85 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 06:05:55 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=84 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 06:05:55 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=83 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 06:05:55 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=82 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 06:05:51 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=81 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 06:05:50 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=80 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 06:05:47 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=79 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 06:05:06 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=78 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 06:05:06 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=77 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 06:05:05 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=76 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 06:05:02 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=75 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 06:05:00 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=74 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 06:04:55 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=73 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 06:03:36 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=72 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 06:03:36 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=71 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 06:03:36 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=70 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 06:03:32 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=69 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 06:03:31 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=68 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:57:06 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=67 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 05:53:19 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=66 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:53:19 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=65 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 05:53:19 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=64 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 05:53:15 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=63 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:53:14 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=62 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:53:01 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=61 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 2308) 11/21/2024 05:53:01 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=60 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:52:44 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=59 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:50:28 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=58 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 05:50:28 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=57 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:49:11 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=56 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:48:56 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=55 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 260) 11/21/2024 05:48:56 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=54 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:48:56 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=53 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (us-west-1.ukrtelecom.cloud) 11/21/2024 05:47:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=52 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 05:47:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=51 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:46:47 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=50 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:41:13 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=49 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 05:41:11 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=48 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:41:11 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=47 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 05:41:11 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=46 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 05:41:03 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=45 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:41:01 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=44 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:40:59 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=43 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1) 11/21/2024 05:38:30 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=42 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:38:30 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=41 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 05:38:30 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=40 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 05:38:30 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=39 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:38:29 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=38 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 2055) 11/21/2024 05:38:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=37 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:38:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=36 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005). 11/21/2024 05:38:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1029 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=35 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Base64(SHA256(UserName)) is = UmTGMgTFbA35+PSgMOoZ2ToPpAK+awC010ZOYWQQIfc=- 11/21/2024 05:38:14 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=34 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:38:12 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=33 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:37:49 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=32 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1033) 11/21/2024 05:37:46 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=31 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:37:46 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=30 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:37:46 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=29 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:37:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=28 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1033) 11/21/2024 05:37:23 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=27 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:37:23 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=26 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:37:23 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=25 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:37:06 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=24 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 1033) 11/21/2024 05:36:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=23 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:36:25 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1028 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=22 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=Server supports SSL = supported 11/21/2024 05:36:24 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=21 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:35:58 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=20 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 2308) 11/21/2024 05:35:58 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=19 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:35:49 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=18 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:35:42 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=17 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 2308) 11/21/2024 05:35:42 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=16 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:35:38 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=15 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 05:35:19 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=14 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 516) 11/21/2024 05:35:19 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=13 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_TCP: An error was encountered when transitioning from TcpStateConnectingTransport to TcpStateDisconnected in response to TcpEventConnectionTimeout (error code 0x80004004). 11/21/2024 05:35:19 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=12 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 05:35:03 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=11 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (34.221.50.57) 11/21/2024 04:35:49 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=10 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 516) 11/21/2024 04:35:49 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=226 EventType=3 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Warning RecordNumber=9 Keywords=None TaskCategory=RDP State Transition OpCode=This event is raised during a state transition. Message=RDPClient_TCP: An error was encountered when transitioning from TcpStateConnectingTransport to TcpStateDisconnected in response to TcpEventConnectionTimeout (error code 0x80004004). 11/21/2024 04:35:49 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=8 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 04:35:33 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=7 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (google.com) 11/21/2024 04:32:42 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=6 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 260) 11/21/2024 04:32:42 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=5 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 04:32:42 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=4 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (us-west-1.ukrtelecom.cloud) 11/21/2024 04:32:38 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1026 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=3 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the disconnection process Message=RDP ClientActiveX has been disconnected (Reason= 260) 11/21/2024 04:32:38 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1105 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=2 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=The multi-transport connection has been disconnected. 11/21/2024 04:32:37 PM LogName=Microsoft-Windows-TerminalServices-RDPClient/Operational EventCode=1024 EventType=4 ComputerName=ar-win-5.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1731938146-2314223186-1848411941-500 SidType=0 SourceName=Microsoft-Windows-TerminalServices-ClientActiveXCore Type=Information RecordNumber=1 Keywords=None TaskCategory=Connection Sequence OpCode=This event is raised during the connection process Message=RDP ClientActiveX is trying to connect to the server (us-west-1.ukrtelecom.cloud)